Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
329 views
in Technique[技术] by (71.8m points)

amazon web services - AWS AccessDenied when calling sts:AssumeRole

I'm trying to allow a set of users in a group access to a role through which they can upload objects to an s3 bucket.

The group as the policy:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
    }
}

The role "Clinic_Sync" has the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SyncReqs",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Sid": "SyncReqs2",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

The bucket has the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mydata"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::mydata/*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mydata",
                "arn:aws:s3:::mydata/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "ADMINUSERID:*",
                        "ACCOUNTNO"
                    ]
                }
            }
        }
    ]
}

The idea being that no one can access the bucket except through assuming this role (other than the admin). I have created the credentials files as follows:

[default]
aws_access_key_id = ACCESSID1
aws_secret_access_key = SECRETKEY1
[csync]
role_arn = arn:aws:iam::ACCOUNTID:role/Clinic_Sync
source_profile = default

And the config file:

[default]
output = json
region = eu-west-2
[profile csync]
role_arn = arn:aws:iam::ACCOUNTID:role/Clinic_Sync
source_profile = default

The bucket policy seems to work, as running the command "aws s3 cp hello.txt s3://mydata" gives the error: Upload failed. An error occured when calling the PutObject operation: Access Denied.

But when I try to use the role, using the command "aws s3 cp hello.txt s3://run3d-data --profile csync", it gives this error:

upload failed: .hello.txt to s3://mydata/hello.txt An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::ACCOUNTID:user/TestAcc2 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNTID:role/Clinic_Sync

I've been searching the web for an answer for ages and can't find any answers. The aws documentation is frankly unintelligible to me. If anyone can help me find a solution to this I'd be much appreciated as I'm tearing my hair out here.

To reiterate, I just want the users in a particular group to have access to a role that grants them permission to use an s3 bucket, but block all other access to the bucket.

question from:https://stackoverflow.com/questions/65844324/aws-accessdenied-when-calling-stsassumerole

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Your bucket policy seems to say: "Deny access to the bucket unless aws:userId is a given Admin User ID or Account Number. It does not reference the Role.

Therefore, accessing the bucket via the Role will be denied. This is because Deny always overrides Allow.

Writing policies with Deny can be quite difficult, as seen in this situation.

If you really want to keep a bucket secure, it is easier to put the bucket in a separate AWS Account and only grant cross-account access to the entities that should have access. This way, no Deny policy is required.


If you receive a not authorised to perform sts:AssumeRole error, make sure the Trust Policy grants access to users by selecting the Another AWS account option when creating the role. The policy should look similar to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...