How can I chain AWS IAM AssumeRole API calls?Why do I get “Permission denied (publickey)” when trying to...
Fastening aluminum fascia to wooden subfascia
Did Dumbledore lie to Harry about how long he had James Potter's invisibility cloak when he was examining it? If so, why?
when is out of tune ok?
Sort a list by elements of another list
Is this version of a gravity generator feasible?
Purchasing a ticket for someone else in another country?
Customer Requests (Sometimes) Drive Me Bonkers!
Is there a good way to store credentials outside of a password manager?
CREATE opcode: what does it really do?
Integer addition + constant, is it a group?
Is the destination of a commercial flight important for the pilot?
Avoiding estate tax by giving multiple gifts
How to safely derail a train during transit?
What Brexit proposals are on the table in the indicative votes on the 27th of March 2019?
What is paid subscription needed for in Mortal Kombat 11?
How do I find the solutions of the following equation?
Why escape if the_content isnt?
Where does the Z80 processor start executing from?
How to Reset Passwords on Multiple Websites Easily?
Why Were Madagascar and New Zealand Discovered So Late?
Why, precisely, is argon used in neutrino experiments?
Closest Prime Number
Hostile work environment after whistle-blowing on coworker and our boss. What do I do?
How to draw lines on a tikz-cd diagram
How can I chain AWS IAM AssumeRole API calls?
Why do I get “Permission denied (publickey)” when trying to SSH from local Ubuntu to a Amazon EC2 server?Which permissions/policies for IAM role to be used with CloudWatch monitoring scriptHow to specify an IAM role for an Amazon EC2 instance being launched via the AWS CLI?Can IAM roles affect services on an EC2 instanceCan I use IAM Roles for AnsibleCan I use an IAM role to grant my Heroku app access to my Amazon S3 bucket?AWS IAM role for use within a classroomHow to execute aws ec2 describe-instances for different accountHow can my client give me access to his AWS account?Can you use IAM roles to connect from a non-AWS application to AWS services?
There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor, into their accounts which grants the right to assume the TrustingSecurityAuditor role to a different IAM role in my AWS account, TrustedSecurityAuditor. (Docs on delegating access)
This works great and allows me and my security team to provide security auditing services to these other account holders in the company. To do this we spin up an ec2 instance with the TrustedSecurityAuditor IAM role and our code requests temporary credentials from each of the accounts using STS by doing an AssumeRole to each account's TrustingSecurityAuditor role.
Now I want to create an additional service running on a different ec2 instance in my account which can not only assume the role of these "Trusting" accounts, but also do other things in my account, like access my account's DynamoDB to store information.
If I apply the TrustedSecurityAuditor role to the instance I don't have the local permissions I need (like DynamoDB access).
I can't apply multiple IAM roles to an instance (unless I'm mistaken).
When I attempt to create a new role, MyNewService, with DynamoDB access that can AssumeRole to the TrustedSecurityAuditor role in hopes of then using those STS credentials to do a second AssumeRole to the TrustingSecurityAuditor role in the foreign account I encounter this problem :
I'm able to AssumeRole from the MyNewService role to the TrustedSecurityAuditor role, but when I do the second AssumeRole to the TrustingSecurityAuditor role AWS returns the error
User: arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TrustingSecurityAuditor
The reason for this is that the "user" attempting the AssumeRole is
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService
not
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor
What this implies is that you can not chain your AssumeRoles because the ARN that a call originates from, when it comes from an assumed role is not the assumed role alone, but the assumed role with the assumer's rolename stuck on the end.
One solution which I'm reluctant to use is that I could just add the permissions I need, for example the ability to use DynamoDB to the TrustedSecurityAuditor role. The reason I'm reluctant is that I only need this permission on the MyNewService instance, not on my original instance which only does security auditing and has no need to access DynamoDB.
Any suggestions how to accomplish what I'm looking for?
amazon-ec2 amazon-web-services amazon-iam
edited 9 mins ago
kenorb
3,1733042
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
add a comment |
There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor, into their accounts which grants the right to assume the TrustingSecurityAuditor role to a different IAM role in my AWS account, TrustedSecurityAuditor. (Docs on delegating access)
This works great and allows me and my security team to provide security auditing services to these other account holders in the company. To do this we spin up an ec2 instance with the TrustedSecurityAuditor IAM role and our code requests temporary credentials from each of the accounts using STS by doing an AssumeRole to each account's TrustingSecurityAuditor role.
Now I want to create an additional service running on a different ec2 instance in my account which can not only assume the role of these "Trusting" accounts, but also do other things in my account, like access my account's DynamoDB to store information.
If I apply the TrustedSecurityAuditor role to the instance I don't have the local permissions I need (like DynamoDB access).
I can't apply multiple IAM roles to an instance (unless I'm mistaken).
When I attempt to create a new role, MyNewService, with DynamoDB access that can AssumeRole to the TrustedSecurityAuditor role in hopes of then using those STS credentials to do a second AssumeRole to the TrustingSecurityAuditor role in the foreign account I encounter this problem :
I'm able to AssumeRole from the MyNewService role to the TrustedSecurityAuditor role, but when I do the second AssumeRole to the TrustingSecurityAuditor role AWS returns the error
User: arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TrustingSecurityAuditor
The reason for this is that the "user" attempting the AssumeRole is
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService
not
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor
What this implies is that you can not chain your AssumeRoles because the ARN that a call originates from, when it comes from an assumed role is not the assumed role alone, but the assumed role with the assumer's rolename stuck on the end.
One solution which I'm reluctant to use is that I could just add the permissions I need, for example the ability to use DynamoDB to the TrustedSecurityAuditor role. The reason I'm reluctant is that I only need this permission on the MyNewService instance, not on my original instance which only does security auditing and has no need to access DynamoDB.
Any suggestions how to accomplish what I'm looking for?
amazon-ec2 amazon-web-services amazon-iam
edited 9 mins ago
kenorb
3,1733042
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
I also looked into using wildcards in the IAM Policy Principal, but they're not allowed for IAM users.
– gene_wood
Jun 2 '15 at 21:25
Could you please include the IAM policy that governs access toAssumeRoleforTrustedSecurityAuditor?
– markusk
Aug 7 '15 at 15:49
add a comment |
There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor, into their accounts which grants the right to assume the TrustingSecurityAuditor role to a different IAM role in my AWS account, TrustedSecurityAuditor. (Docs on delegating access)
This works great and allows me and my security team to provide security auditing services to these other account holders in the company. To do this we spin up an ec2 instance with the TrustedSecurityAuditor IAM role and our code requests temporary credentials from each of the accounts using STS by doing an AssumeRole to each account's TrustingSecurityAuditor role.
Now I want to create an additional service running on a different ec2 instance in my account which can not only assume the role of these "Trusting" accounts, but also do other things in my account, like access my account's DynamoDB to store information.
If I apply the TrustedSecurityAuditor role to the instance I don't have the local permissions I need (like DynamoDB access).
I can't apply multiple IAM roles to an instance (unless I'm mistaken).
When I attempt to create a new role, MyNewService, with DynamoDB access that can AssumeRole to the TrustedSecurityAuditor role in hopes of then using those STS credentials to do a second AssumeRole to the TrustingSecurityAuditor role in the foreign account I encounter this problem :
I'm able to AssumeRole from the MyNewService role to the TrustedSecurityAuditor role, but when I do the second AssumeRole to the TrustingSecurityAuditor role AWS returns the error
User: arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TrustingSecurityAuditor
The reason for this is that the "user" attempting the AssumeRole is
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService
not
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor
What this implies is that you can not chain your AssumeRoles because the ARN that a call originates from, when it comes from an assumed role is not the assumed role alone, but the assumed role with the assumer's rolename stuck on the end.
One solution which I'm reluctant to use is that I could just add the permissions I need, for example the ability to use DynamoDB to the TrustedSecurityAuditor role. The reason I'm reluctant is that I only need this permission on the MyNewService instance, not on my original instance which only does security auditing and has no need to access DynamoDB.
Any suggestions how to accomplish what I'm looking for?
amazon-ec2 amazon-web-services amazon-iam
edited 9 mins ago
kenorb
3,1733042
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
There are a number of AWS accounts which I don't control. I've had the account owners deploy an IAM Role, TrustingSecurityAuditor, into their accounts which grants the right to assume the TrustingSecurityAuditor role to a different IAM role in my AWS account, TrustedSecurityAuditor. (Docs on delegating access)
This works great and allows me and my security team to provide security auditing services to these other account holders in the company. To do this we spin up an ec2 instance with the TrustedSecurityAuditor IAM role and our code requests temporary credentials from each of the accounts using STS by doing an AssumeRole to each account's TrustingSecurityAuditor role.
Now I want to create an additional service running on a different ec2 instance in my account which can not only assume the role of these "Trusting" accounts, but also do other things in my account, like access my account's DynamoDB to store information.
If I apply the TrustedSecurityAuditor role to the instance I don't have the local permissions I need (like DynamoDB access).
I can't apply multiple IAM roles to an instance (unless I'm mistaken).
When I attempt to create a new role, MyNewService, with DynamoDB access that can AssumeRole to the TrustedSecurityAuditor role in hopes of then using those STS credentials to do a second AssumeRole to the TrustingSecurityAuditor role in the foreign account I encounter this problem :
I'm able to AssumeRole from the MyNewService role to the TrustedSecurityAuditor role, but when I do the second AssumeRole to the TrustingSecurityAuditor role AWS returns the error
User: arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TrustingSecurityAuditor
The reason for this is that the "user" attempting the AssumeRole is
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor/MyNewService
not
arn:aws:sts::123456789012:assumed-role/TrustedSecurityAuditor
What this implies is that you can not chain your AssumeRoles because the ARN that a call originates from, when it comes from an assumed role is not the assumed role alone, but the assumed role with the assumer's rolename stuck on the end.
One solution which I'm reluctant to use is that I could just add the permissions I need, for example the ability to use DynamoDB to the TrustedSecurityAuditor role. The reason I'm reluctant is that I only need this permission on the MyNewService instance, not on my original instance which only does security auditing and has no need to access DynamoDB.
Any suggestions how to accomplish what I'm looking for?
amazon-ec2 amazon-web-services amazon-iam
amazon-ec2 amazon-web-services amazon-iam
edited 9 mins ago
kenorb
3,1733042
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
edited 9 mins ago
kenorb
3,1733042
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
edited 9 mins ago
kenorb
3,1733042
edited 9 mins ago
kenorb
3,1733042
edited 9 mins ago
kenorb
3,1733042
3,1733042
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
asked Jun 2 '15 at 21:16
gene_woodgene_wood
254210
254210
I also looked into using wildcards in the IAM Policy Principal, but they're not allowed for IAM users.
– gene_wood
Jun 2 '15 at 21:25
Could you please include the IAM policy that governs access toAssumeRoleforTrustedSecurityAuditor?
– markusk
Aug 7 '15 at 15:49
add a comment |
I also looked into using wildcards in the IAM Policy Principal, but they're not allowed for IAM users.
– gene_wood
Jun 2 '15 at 21:25
Could you please include the IAM policy that governs access toAssumeRoleforTrustedSecurityAuditor?
– markusk
Aug 7 '15 at 15:49
I also looked into using wildcards in the IAM Policy Principal, but they're not allowed for IAM users.
– gene_wood
Jun 2 '15 at 21:25
I also looked into using wildcards in the IAM Policy Principal, but they're not allowed for IAM users.
– gene_wood
Jun 2 '15 at 21:25
Could you please include the IAM policy that governs access to
AssumeRole for TrustedSecurityAuditor?– markusk
Aug 7 '15 at 15:49
Could you please include the IAM policy that governs access to
AssumeRole for TrustedSecurityAuditor?– markusk
Aug 7 '15 at 15:49
add a comment |
1 Answer
1
active
oldest
votes
Scenario:
- AccountA - your account
- AccountB - customer account
- RoleA - Your account role to access DynamoDB, call STS, etc.
- RoleB - TrustedSecurityAuditor role in AccountB
You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.
You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f696193%2fhow-can-i-chain-aws-iam-assumerole-api-calls%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Scenario:
- AccountA - your account
- AccountB - customer account
- RoleA - Your account role to access DynamoDB, call STS, etc.
- RoleB - TrustedSecurityAuditor role in AccountB
You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.
You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
add a comment |
Scenario:
- AccountA - your account
- AccountB - customer account
- RoleA - Your account role to access DynamoDB, call STS, etc.
- RoleB - TrustedSecurityAuditor role in AccountB
You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.
You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
add a comment |
Scenario:
- AccountA - your account
- AccountB - customer account
- RoleA - Your account role to access DynamoDB, call STS, etc.
- RoleB - TrustedSecurityAuditor role in AccountB
You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.
You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
Scenario:
- AccountA - your account
- AccountB - customer account
- RoleA - Your account role to access DynamoDB, call STS, etc.
- RoleB - TrustedSecurityAuditor role in AccountB
You will need to manage two sets of credentials. Credentials A which are created from the IAM role assigned to the EC2 instance. Use these credentials to access your resources such as DynamoDB. Credentials B which are created via STS from RoleB. Use these credentials to access your customers resources.
You will then need to independently use the credentials based upon what you want to do. For example if you are using Python you would create two boto3 clients with different credentials.
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
answered Dec 13 '17 at 22:54
John HanleyJohn Hanley
1,947310
1,947310
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f696193%2fhow-can-i-chain-aws-iam-assumerole-api-calls%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I also looked into using wildcards in the IAM Policy Principal, but they're not allowed for IAM users.
– gene_wood
Jun 2 '15 at 21:25
Could you please include the IAM policy that governs access to
AssumeRoleforTrustedSecurityAuditor?– markusk
Aug 7 '15 at 15:49