Stack Overflow
Stack Overflow

Questions tagged [amazon-iam]

AWS Identity and Access Management (IAM) is an access control service for Amazon Web Services. Tag questions about using the AWS CLI, writing JSON for IAM, and using IAM SDKs.

IAM is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. Use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

5421 questions
26
votes
5 answers

Can't access S3 bucket from within Fargate container (Bad Request and unable to locate credentials)

I created a private s3 bucket and a fargate cluster with a simple task that attempts to read from that bucket using python 3 and boto3. I've tried this on 2 different docker images and on one I get a ClientError from boto saying HeadObject Bad…
vane
  • 2,125
  • 1
  • 21
  • 40
26
votes
1 answer

Terraform - assume_role_policy - similar but slightly different than standard IAM policy

This page https://www.terraform.io/docs/providers/aws/r/iam_role.html mentions: NOTE: This assume_role_policy is very similar but slightly different than just a standard IAM policy and cannot use an aws_iam_policy resource. It can however, use…
Snowcrash
  • 80,579
  • 89
  • 266
  • 376
25
votes
1 answer

How to reference a resource ARN in a cloudformation policy document ? (yaml)

I am trying to define a trust relationship policy document between a role and a user in cloudformation (yaml). For specifying the ARN of the user in the role's AssumeRolePolicyDocument, I want to reference the ARN from the actual cloudformation…
James Wierzba
  • 16,176
  • 14
  • 79
  • 120
25
votes
6 answers

Could not find S3 endpoint or NAT gateway for subnetId

I am unable to connect AWS Glue with RDS VPC S3 endpoint validation failed for SubnetId: subnet-7e8a2. VPC: vpc-4d2d25. Reason: Could not find S3 endpoint or NAT gateway for subnetId: subnet-7ea32 in Vpc vpc-4d225.
user11448446
  • 251
  • 1
  • 3
  • 3
25
votes
2 answers

Amazon EC2 instances multiple IAM roles

At the moment I have 2 AWS IAM roles and each has 1 policy, call them Policy-A and Policy-B. I would like to attach both roles to an EC2 instance. Alternative is to create a new role which has both Policy-A and Policy-B. Can I attach more than 1 IAM…
s5s
  • 11,159
  • 21
  • 74
  • 121
25
votes
2 answers

When do I need to have CAPABILITY_NAMED_IAM

I was editing my CloudFormation templates and suddenly AWS tells me I need CAPABILITY_NAMED_IAM. I am curious as to which change triggers this? What is a named IAM resource? Before I already "name" my resources like RoleName: !Sub…
Jiew Meng
  • 84,767
  • 185
  • 495
  • 805
25
votes
7 answers

Access Denied using boto3 through aws Lambda

I use the data processing pipeline constructed of S3 + SNS + Lambda becasue S3 can not send notificaiton out of its storage region so I made use of SNS to send S3 notification to Lambda in other region. The lambda function coded with from…
Hello lad
  • 17,344
  • 46
  • 127
  • 200
25
votes
2 answers

Restrict access to a particular Cloudfront distribution using IAM

I'm trying to give access to a specific IAM user to a particular Cloudfront distribution. I've tried with this Policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1428659042000", "Effect":…
alexandresaiz
  • 2,678
  • 7
  • 29
  • 40
25
votes
2 answers

AWS s3 bucket policy invalid group principal

This is a follow on from How can i enforce file type uploads with an AWS S3 bucket policy When applying the bucket policy: { "Version":"2008-10-17", "Statement": [ { "Sid":"AddPerm", "Effect":"Allow", "Principal": { "AWS":…
HoaxKey
  • 627
  • 2
  • 7
  • 12
24
votes
1 answer

What's the use case for RoleSessionName when assuming a role in AWS and how it affects the performance

I have a scenario in which I want to have access to resources within one account from another one in AWS (cross-account access) in code. And I want to implement this access using NodeJs, implemented as lambda function and also as a long-running code…
Mehran
  • 15,593
  • 27
  • 122
  • 221
24
votes
5 answers

Amazon RDS IAM PAM Auth failed

I enabled IAM Auth on my Postgresql, and my user myAWSusername has RDSFullAccess export RDSHOST="MYRDSHOSTNAME.us-east-2.rds.amazonaws.com" export PGPASSWORD="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 5432 --region us-east-2…
EralpB
  • 1,621
  • 4
  • 23
  • 36
24
votes
1 answer

how to allow ECS task access to RDS

I have an ECS task executed from a Lambda function. This task will perform some basic SQL operations (e.g. SELECT, INSERT, UPDATE) on an RDS instance running MySQL. What is the proper way to manage access from the ECS task to RDS? I am currently…
scagnetti
  • 1,435
  • 3
  • 20
  • 38
22
votes
4 answers

What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?

AWS supports IAM Roles for Service Accounts (IRSA) that allows cluster operators to map AWS IAM Roles to Kubernetes Service Accounts. To do so, one has to create an iamserviceaccount in an EKS cluster: eksctl create iamserviceaccount \ --name…
HsnVahedi
  • 1,271
  • 3
  • 13
  • 34
22
votes
1 answer

What is the correct syntax for multiple conditions in a Terraform `aws_iam_policy_document` data block

How can this S3 bucket IAM policy, which has multiple conditions, be re-written as aws_iam_policy_document data block, please? "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", …
Maciej
  • 1,209
  • 4
  • 16
  • 26
22
votes
1 answer

Terraform: Conditional statement blocks in aws_iam_policy_document?

Is there a way to conditionally add statement blocks in aws_iam_policy_document? I'm looking for something like: data "aws_iam_policy_document" "policy" { statement { sid = "PolicyAlways" ... } if (var.enable_optional_policy) { …
jbreed
  • 1,514
  • 5
  • 22
  • 35
1 2 3
99 100