Is it possible to create a trust that allow federated users from cognito to assume role according to a custom attribute?
For example with a tenant attribute:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:custom:tenant": "tenant-name"
}
}
}
]
}
I'm using get_credentials_for_identity api with cognito token to assume this role.
Yes, this is definitely possible with attributes for access control. This will only work for an authenticated user (you need an ID token to map claims to principal tags).
Your trust policy needs to looks like this:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
},
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
}
}
]
}
The difference is the sts:TagSession action and the fact that amr must be authenticated.
Policy for assumed role will look something like this:
{
"PolicyDocument": {
"Statement": [
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name/cognito/attributes/by_family_name/${aws:PrincipalTag/family_name}/*"
},
{
"Action": "s3:GetObject",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/given_name": "${aws:PrincipalTag/given_name}"
}
},
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name/cognito/attributes/by_tag/*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "attributes-policy"
}
You need to configure your Cognito (or any other) provider in Identity Pool to do the mapping between claims from the token to tags. You can do it in console under Attributes for access control. Or with CLI like this:
aws cognito-identity set-principal-tag-attribute-map --cli-input-json file://set-principal-tag-attribute-map.json
Where set-principal-tag-attribute-map.json would look something like this (for Cognito as IDP):
{
"IdentityPoolId": "here-is-your-identity-pool-id",
"IdentityProviderName": "cognito-idp.<region>.amazonaws.com/<user_pool_id>",
"UseDefaults": false,
"PrincipalTags": {
"given_name": "given_name",
"family_name": "family_name"
}
}
You can find more details in documentation here: https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html
Related
I have configured the IAM Role with the below definition. I am getting the AccessDenied error when I configure the condition below. Where am I going wrong?
Access Denied
"Condition": {
"StringEquals": {
"gitlab.com:sub": "https://gitlab.com/pradeepkumarl/configure-openid-connect-in-aws::ref_type:branch:ref:main"
}
}
Total policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/gitlab.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"gitlab.com:sub": "https://gitlab.com/pradeepkumarl/configure-openid-connect-in-aws::ref_type:branch:ref:main"
}
}
}
]
}
There is a mistake in your sub field under condition. It should be of the form project_path::ref_type:branch:ref:. You don't need to include the Gitlab url.
Also keep in mind that you may need to change the condition from "StringEquals" to "StringLike" to accommodate wildcards, as mentioned in the troubleshooting section of the documentation: https://docs.gitlab.com/ee/ci/cloud_services/aws/index.html
I am trying to write VPC Flow logs (from account 1) to an S3 bucket (on account 2), using terraform:
resource "aws_flow_log" "security_logs" {
log_destination = "arn:aws:s3:::my_vpcflowlogs_bucket"
log_destination_type = "s3"
vpc_id = var.vpc_id
traffic_type = "ALL"
}
resource "aws_iam_role" "vpc_flow_logs" {
name = "vpc_flow_logs"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "write_vpc_flow_logs" {
name = "write_vpc_flow_logs"
role = aws_iam_role.vpc_flow_logs.id
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": "arn:aws:s3:::my_vpcflowlogs_bucket"
}
]
})
}
Account 1 & 2 belong to the same organisation.
I am getting the following response:
Error creating Flow Log for (vpc-xxxxxxxxxxxx), error: Access Denied for LogDestination: my_vpcflowlogs_bucket. Please check LogDestination permission
How can I make this work? This bucket contains sensitive information, therefore i have restricted every kind of public access.
I am guessing that there is a way to allow certain principals to write into the bucket even from different accounts, but I am unaware how.
S3 Policy
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my_vpcflowlogs_bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": <account-1-id>
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs::<account-1-id>:*"
}
}
},
{
"Sid": "AWSLogDeliveryCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": ["s3:GetBucketAcl", "s3:ListBucket"],
"Resource": "arn:aws:s3:::my_vpcflowlogs_bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": <account-1-id>
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs::<account-1-id>:*"
}
}
}
]
}
I'm using the AWS Cognito Enhanced (Simplified) Flow to get the Cognito Identity Credentials providing the idToken received after logging in with Google sign-in api:
export function getAWSCredentialWithGoogle(authResult) {
if (authResult['idToken'] != null) {
AWS.config.region = 'eu-central-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-central-1:xxxxxxxxxxxxxxxxxxxxxxxx',
Logins: {
'accounts.google.com': authResult['idToken']
}
})
return AWS.config.credentials.getPromise()
.then(
function(){
return getAWSCredentials(AWS.config.credentials);
},
function(err) {
}
)
} else {
console.log('no auth code found!');
}
}
I get the:
accessKeyId:"ASIAXXXXXX",
secretAccessKey:"ta4eqkCcxxxxxxxxxxxxxxxxxxx",
sessionToken:"xxxxxxxxx...etc..."
Then I try to upload a picture to an S3 bucket passing the above received accessKeyId and secretAccessKey.
But I receive this error result:
InvalidAccessKeyIdThe AWS Access Key Id you provided does not exist in our records.ASIAXXXXXXXXXXXXXXXX
This is how I set up the AWS S3 (managed) policy (the resource policy for the bucket is the default one) to access progammaticaly the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::xxxxxxxxxx",
"arn:aws:s3:::xxxxxxxxxx/users"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::xxxxxxxxx/users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::xxxxxxxxx/users/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
this policy has been attached to an IAM role with the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1xxxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
I've properly configured the Federated Identity Pool to use this role, and added Google as an OpenID Connect provider.
I also configured my Cognito Identity Pool to accept users federated with my Cognito User Pool by supplying the User Pool ID and the App Client ID.
I would like to to give to any Google sign-in authenticated user, access to the S3 bucket and have read/write permission to his own directory.
I'm looking to grant access to a bucket that will allow instances in my VPC full access to it along with machines via our Data Center. Without the aws:SouceIp line, I can restrict access to VPC online machines.
I need the policy to work so that the bucket can only be accessible from machines within the VPC AND from my office.
{
"Version": "2012-10-17",
"Id": "Policy1496253408968",
"Statement": [
{
"Sid": "Stmt1496253402061",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xyz-sam-test/*",
"arn:aws:s3:::xyz-sam-test"
],
"Condition": {
"StringLike": {
"aws:sourceVpc": "vpc-dcb634bf",
"aws:SourceIp": "<MY PUBLIC IP>"
}
}
}
]
}
You can generate a policy whose Effect is to Deny access to the bucket when StringNotLike Condition for both keys matches those specific wildcards.
{
"Version": "2012-10-17",
"Id": "Policy1496253408968",
"Statement": [
{
"Sid": "Stmt1496253402061",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xyz-sam-test/*",
"arn:aws:s3:::xyz-sam-test"
],
"Condition": {
"StringNotLike": {
"aws:sourceVpc": "vpc-dcb634bf",
"aws:SourceIp": "<MY PUBLIC IP>"
}
}
}
]
}
The second condition could also be separated to its own statement. AWS applies a logical OR across the statements. 1
{
"Version": "2012-10-17",
"Id": "Policy1496253408968",
"Statement": [
{
"Sid": "Stmt1496253402061",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xyz-sam-test/*",
"arn:aws:s3:::xyz-sam-test"
],
"Condition": {
"StringLike": {
"aws:sourceVpc": "vpc-dcb634bf",
}
}
},
{
"Sid": "Stmt1496253402062",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xyz-sam-test/*",
"arn:aws:s3:::xyz-sam-test"
],
"Condition": {
"StringLike": {
"aws:SourceIp": "<MY PUBLIC IP>"
}
}
}
]
}
AWS has predefined condition operators and keys (like aws:CurrentTime). Individual AWS services also define service-specific keys.
As an example, assume that you want to let user John access your Amazon SQS queue under the following conditions:
The time is after 12:00 p.m. on 7/16/2019
The time is before 3:00 p.m. on 7/16/2019
The request comes from an IP address within the range 192.0.2.0 to 192.0.2.255 or 203.0.113.0 to 203.0.113.255.
Your condition block has three separate condition operators, and all three of them must be met for John to have access to your queue, topic, or resource.
The following shows what the condition block looks like in your policy. The two values for aws:SourceIp are evaluated using OR. The three separate condition operators are evaluated using AND.
"Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime" : "2019-07-16T12:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime" : "2019-07-16T15:00:00Z"
},
"IpAddress" : {
"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
}
}
reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html
this is an old question, but I think that there is a better solution with AWS new capabilities. Especially, I don't really like the deny / StringNotLike combination, because denying on an s3 policy can have unexpected effects such as locking your own S3 bucket down, by denying yourself (this could only be fixed by using the root account, which you may not have easily accessible in a professional context)
So the solution I have in mind is to use ForAnyValue in your condition (source). e.g something like this:
{
"Version": "2012-10-17",
"Id": "Policy1496253408968",
"Statement": [
{
"Sid": "Stmt1496253402061",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xyz-sam-test/*",
"arn:aws:s3:::xyz-sam-test"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:sourceVpc": [
"vpc-dcb634bf",
"<MY PUBLIC IP>"
]
}
}
}
]
}
Hi I am trying to write the permissions policy to access my bucket.
I want to deny access to a particular user-agent and allow access to all other user agents. With the below policy the access is getting denied to all.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1456658595000",
"Effect": "Deny",
"Action": [
"s3:*"
],
"Condition": {
"StringLike": {
"aws:UserAgent": "NSPlayer"
}
},
"Resource": [
"arn:aws:s3:::bucket/"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
Please let me know how should I write such policy so that except one user agent all others are able to access the same.
It has to be written this way!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Condition": {
"StringNotLike": {
"aws:UserAgent": "NSPlayer"
}
},
"Resource": [
"*"
]
}
]
}
This solution works if bucket objects are not public read/write. One related answer is here: Deny access to user agent to access a bucket in AWS S3