Comments (15)
Here's the boto3
signature for that method:
response = client.assume_role(
# Required
RoleArn='string',
# Required
RoleSessionName='string',
# All others are optional
PolicyArns=[
{
'arn': 'string'
},
],
# This is a string of JSON for an inline policy
Policy='string',
DurationSeconds=123,
Tags=[
{
'Key': 'string',
'Value': 'string'
},
],
TransitiveTagKeys=[
'string',
],
ExternalId='string',
SerialNumber='string',
TokenCode='string',
SourceIdentity='string'
)
I think I just need to care about RoleArn
and RoleSessionName
(because they are required) and then use Policy
and DurationSeconds
- I don't think I need any of the other options for my purposes.
from s3-credentials.
It looks like 'RoleSessionName` is mainly useful because it shows up in CloudTrail audit logs.
RoleArn
is the toughest one. Normally the expectation is that you would be using this API to assume an existing, defined role - but I actually would be happy just sending in an inline JSON policy document.
But RoleArn
is required.
I ran this code against my own account to see what roles are available:
import boto3
iam = boto3.client("iam")
roles = iam.list_roles()['Roles']
for role in roles:
print(role["Path"], "\n\t", role["RoleName"], role.get("Description"), "\n")
Here's my output:
/service-role/
apprunner This role gives App Runner permission to access ECR
/
aws-elasticbeanstalk-ec2-role None
/
aws-elasticbeanstalk-service-role None
/aws-service-role/elasticfilesystem.amazonaws.com/
AWSServiceRoleForAmazonElasticFileSystem None
/aws-service-role/apprunner.amazonaws.com/
AWSServiceRoleForAppRunner None
/aws-service-role/autoscaling.amazonaws.com/
AWSServiceRoleForAutoScaling Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling
/aws-service-role/lightsail.amazonaws.com/
AWSServiceRoleForLightsail None
/aws-service-role/rds.amazonaws.com/
AWSServiceRoleForRDS Allows Amazon RDS to manage AWS resources on your behalf
/aws-service-role/support.amazonaws.com/
AWSServiceRoleForSupport Enables resource access for AWS to provide billing, administrative and support services
/aws-service-role/trustedadvisor.amazonaws.com/
AWSServiceRoleForTrustedAdvisor Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment.
/
datasette-proof-of-concept-HelloWorldFunctionRole-8MIDNIV5ECA6
/
helloworld-dev None
/
zappa-helloworl-dev-ZappaLambdaExecutionRole None
So my account currently has 13 roles, some of which look like defaults and some from when I was playing around with things like Zappa on Lambda.
from s3-credentials.
I think I need to create new roles the first time the user attempts to use these functions.
I'd like them to mostly share the structure of the roles in policies.py
- but without the bucket limitation. I can add the bucket limitation in the inline policy JSON I pass to sts.assume_role()
.
from s3-credentials.
Or maybe not? The code in policies.py
creates an inline role with specific access to a specific bucket. I really like that. Could I come up with some kind of parent role that's basically just an obvious name with no rules attached to it at all?
from s3-credentials.
Here are the docs for iam.create_role()
: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.ServiceResource.create_role
role = iam.create_role(
Path='string',
RoleName='string',
AssumeRolePolicyDocument='string',
Description='string',
MaxSessionDuration=123,
PermissionsBoundary='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
Required fields are RoleName
and AssumeRolePolicyDocument
. I like the idea of setting a good Description
too.
from s3-credentials.
I ran this instead:
roles = iam.list_roles()['Roles']
for role in roles:
print(json.dumps(role, indent=4, default=str))
And for every single one of my roles the AssumeRolePolicyDocument
looked something like this:
{
"Path": "/aws-service-role/lightsail.amazonaws.com/",
"RoleName": "AWSServiceRoleForLightsail",
"RoleId": "AROAWXFXAIOZG5ACQ5NZ5",
"Arn": "arn:aws:iam::462092780466:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail",
"CreateDate": "2021-01-15 21:41:48+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lightsail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
They ALL used "Action": "sts:AssumeRole"
against a principal defined as a "Service": "...amazonaws.com"
- not a single example of a role that didn't do that.
from s3-credentials.
Seeking relevant examples using GitHub code search. All of these so far are using "Action": "sts:AssumeRole"
:
- https://github.com/bstriner/aws-sagemaker-remote/blob/6ce59c2e413b0dd6a53a54d8b860c93d16234720/aws_sagemaker_remote/processing/iam.py#L26
- https://github.com/lol-fi/finddiscount/blob/9901650c235f52d0809a755d1fb32e5c92236b82/python/example_code/iam/create_role.py#L47
- https://github.com/ubergeek42/lambda-letsencrypt/blob/01e81577dabc984b18512233ddae37755d4e2acb/installer/iam.py#L37
from s3-credentials.
Reading the official documentation on roles now: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
Trust policy
A JSON policy document in which you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services.
from s3-credentials.
Trying a new approach: I'm using the AWS UI to create my first role, then I'll inspect it and see what it looks like.
The initial screen doesn't seem to support my use-case very well:
It looks like the option I want is "Another AWS Account", even though I'm actually looking to create temporary credentials within the SAME account:
Since Account ID is required I copied it from the menu at the top of the page. I managed to create a role:
This had the S3 thing attached - I then manually dropped that policy so now I have a role with no policies at all.
Let's see if I can assume it and use it to access a bucket.
from s3-credentials.
Just doing this gave me back credentials that don't appear to be able to do anything at all:
sts.assume_role(RoleArn = "arn:aws:iam::462092780466:role/s3-full-access", RoleSessionName="SimonRole")
Aha! Turns out you need to pass the --session-token
argument too, just the first two isn't enough. And the Transmit UI doesn't have a way to set that so testing in Transmit doesn't work.
Also, there seems to be some caching somewhere such that adding new policies to e.g. the role itself in the console doesn't take effect for quite a few seconds.
from s3-credentials.
Maybe this is the policy document I need?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{AccountId}:root"
},
"Action": "sts:AssumeRole"
}
]
}
from s3-credentials.
Success! I manually created a role using these settings:
Then I ran the following code:
import boto3
sts = boto3.client("sts")
bucket = "simonw-test-bucket-is-this-public"
sts.assume_role(
RoleArn = "arn:aws:iam::462092780466:role/s3-credentials.s3-full-access",
RoleSessionName="s3-credentials.simonw-test-bucket-is-this-public",
Policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::{}".format(bucket)],
},
{
"Effect": "Allow",
"Action": "s3:*Object*",
"Resource": ["arn:aws:s3:::{}/*".format(bucket)],
},
{
"Effect": "Allow",
"Action": ["iam:GetUser"],
"Resource": ["*"]
},
],
})
)
This gave me credentials which I then successfully used to list the contents of that bucket, but which failed with a permission error when I tried to list the contents of a different bucket.
from s3-credentials.
The policy I attached to it has this ARN: arn:aws:iam::aws:policy/AmazonS3FullAccess
from s3-credentials.
Here's what that role looks like if I access it using iam.get_role(RoleName="s3-credentials.s3-full-access")
:
{
"Path": "/",
"RoleName": "s3-credentials.s3-full-access",
"RoleId": "AROAWXFXAIOZK2Y3HBQZP",
"Arn": "arn:aws:iam::462092780466:role/s3-credentials.s3-full-access",
"CreateDate": "2021-11-10 01:08:03+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::462092780466:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
},
"Description": "Role used by the s3-credentials tool to create time-limited credentials that are restricted to specific buckets.",
"MaxSessionDuration": 3600,
"RoleLastUsed": {}
}
from s3-credentials.
OK, research is complete. Next step is to design and implement the feature.
from s3-credentials.
Related Issues (20)
- Way to make an existing bucket public or private HOT 1
- Convert README into documentation website HOT 3
- Make it easier to add extra policy statements HOT 10
- Provide a `--profile` option to allow AWS profile selection HOT 3
- Using --policy should imply --user-permissions-boundary=none HOT 2
- s3-credentials.AmazonS3FullAccess has MaxSessionDuration 3600, should be 12 hours HOT 5
- KeyError if listing bucket with no items returned
- s3-credentials list-buckets --details should show region and website URL, if configured HOT 2
- `s3-credentials get-objects` command HOT 7
- `get-objects/put-objects` `--skip` and `--skip-hash` options HOT 1
- Add the options to add tags to the created resources HOT 3
- `set-public-policy` command HOT 5
- Add s3:PutObjectAcl to write policies HOT 3
- `s3-credentials delete-objects` command HOT 11
- Mysterious test failure in `test_put_objects` HOT 4
- debug-bucket command HOT 2
- Command to make a bucket public HOT 4
- `s3-credentials create name-of-bucket --create-bucket --public` fails with error HOT 4
- `s3-credentials list-bucket --urls` option HOT 1
- CI failures, including ImportError: cannot import name 'mock_s3' from 'moto' HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s3-credentials.