Research creating expiring credentials using `sts.assume_role()` about s3-credentials HOT 15 CLOSED

Here's the boto3 signature for that method:

response = client.assume_role(
    # Required
    RoleArn='string',
    # Required
    RoleSessionName='string',
    # All others are optional
    PolicyArns=[
        {
            'arn': 'string'
        },
    ],
    # This is a string of JSON for an inline policy
    Policy='string',
    DurationSeconds=123,
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    TransitiveTagKeys=[
        'string',
    ],
    ExternalId='string',
    SerialNumber='string',
    TokenCode='string',
    SourceIdentity='string'
)

I think I just need to care about RoleArn and RoleSessionName (because they are required) and then use Policy and DurationSeconds - I don't think I need any of the other options for my purposes.

from s3-credentials.

It looks like 'RoleSessionName` is mainly useful because it shows up in CloudTrail audit logs.

RoleArn is the toughest one. Normally the expectation is that you would be using this API to assume an existing, defined role - but I actually would be happy just sending in an inline JSON policy document.

But RoleArn is required.

I ran this code against my own account to see what roles are available:

import boto3
iam = boto3.client("iam")
roles = iam.list_roles()['Roles']
for role in roles:
    print(role["Path"], "\n\t", role["RoleName"], role.get("Description"), "\n")

Here's my output:

/service-role/ 
	 apprunner This role gives App Runner permission to access ECR 

/ 
	 aws-elasticbeanstalk-ec2-role None 

/ 
	 aws-elasticbeanstalk-service-role None 

/aws-service-role/elasticfilesystem.amazonaws.com/ 
	 AWSServiceRoleForAmazonElasticFileSystem None 

/aws-service-role/apprunner.amazonaws.com/ 
	 AWSServiceRoleForAppRunner None 

/aws-service-role/autoscaling.amazonaws.com/ 
	 AWSServiceRoleForAutoScaling Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling 

/aws-service-role/lightsail.amazonaws.com/ 
	 AWSServiceRoleForLightsail None 

/aws-service-role/rds.amazonaws.com/ 
	 AWSServiceRoleForRDS Allows Amazon RDS to manage AWS resources on your behalf 

/aws-service-role/support.amazonaws.com/ 
	 AWSServiceRoleForSupport Enables resource access for AWS to provide billing, administrative and support services 

/aws-service-role/trustedadvisor.amazonaws.com/ 
	 AWSServiceRoleForTrustedAdvisor Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment. 

/ 
	 datasette-proof-of-concept-HelloWorldFunctionRole-8MIDNIV5ECA6  

/ 
	 helloworld-dev None 

/ 
	 zappa-helloworl-dev-ZappaLambdaExecutionRole None 

So my account currently has 13 roles, some of which look like defaults and some from when I was playing around with things like Zappa on Lambda.

from s3-credentials.

I think I need to create new roles the first time the user attempts to use these functions.

I'd like them to mostly share the structure of the roles in policies.py - but without the bucket limitation. I can add the bucket limitation in the inline policy JSON I pass to sts.assume_role().

from s3-credentials.

Or maybe not? The code in policies.py creates an inline role with specific access to a specific bucket. I really like that. Could I come up with some kind of parent role that's basically just an obvious name with no rules attached to it at all?

from s3-credentials.

Here are the docs for iam.create_role(): https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.ServiceResource.create_role

role = iam.create_role(
    Path='string',
    RoleName='string',
    AssumeRolePolicyDocument='string',
    Description='string',
    MaxSessionDuration=123,
    PermissionsBoundary='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

Required fields are RoleName and AssumeRolePolicyDocument. I like the idea of setting a good Description too.

from s3-credentials.

I ran this instead:

roles = iam.list_roles()['Roles']
for role in roles:
    print(json.dumps(role, indent=4, default=str))

And for every single one of my roles the AssumeRolePolicyDocument looked something like this:

{
    "Path": "/aws-service-role/lightsail.amazonaws.com/",
    "RoleName": "AWSServiceRoleForLightsail",
    "RoleId": "AROAWXFXAIOZG5ACQ5NZ5",
    "Arn": "arn:aws:iam::462092780466:role/aws-service-role/lightsail.amazonaws.com/AWSServiceRoleForLightsail",
    "CreateDate": "2021-01-15 21:41:48+00:00",
    "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "lightsail.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
    },
    "MaxSessionDuration": 3600
}

They ALL used "Action": "sts:AssumeRole" against a principal defined as a "Service": "...amazonaws.com" - not a single example of a role that didn't do that.

from s3-credentials.

Seeking relevant examples using GitHub code search. All of these so far are using "Action": "sts:AssumeRole":

• https://github.com/bstriner/aws-sagemaker-remote/blob/6ce59c2e413b0dd6a53a54d8b860c93d16234720/aws_sagemaker_remote/processing/iam.py#L26
• https://github.com/lol-fi/finddiscount/blob/9901650c235f52d0809a755d1fb32e5c92236b82/python/example_code/iam/create_role.py#L47
• https://github.com/ubergeek42/lambda-letsencrypt/blob/01e81577dabc984b18512233ddae37755d4e2acb/installer/iam.py#L37

from s3-credentials.

Reading the official documentation on roles now: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

Trust policy

A JSON policy document in which you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services.

from s3-credentials.

Trying a new approach: I'm using the AWS UI to create my first role, then I'll inspect it and see what it looks like.

The initial screen doesn't seem to support my use-case very well:

It looks like the option I want is "Another AWS Account", even though I'm actually looking to create temporary credentials within the SAME account:

Since Account ID is required I copied it from the menu at the top of the page. I managed to create a role:

This had the S3 thing attached - I then manually dropped that policy so now I have a role with no policies at all.

Let's see if I can assume it and use it to access a bucket.

from s3-credentials.

Just doing this gave me back credentials that don't appear to be able to do anything at all:

sts.assume_role(RoleArn = "arn:aws:iam::462092780466:role/s3-full-access", RoleSessionName="SimonRole")

Aha! Turns out you need to pass the --session-token argument too, just the first two isn't enough. And the Transmit UI doesn't have a way to set that so testing in Transmit doesn't work.

Also, there seems to be some caching somewhere such that adding new policies to e.g. the role itself in the console doesn't take effect for quite a few seconds.

from s3-credentials.

Maybe this is the policy document I need?

https://github.com/aws-srinjoy/servicenow-dish-iam-uplift/blob/d52871f179170c3028758a24ce8639d6620e9d3d/service-control-policies/scp/scp/integration_tests/tests/assume_role_policy_doc.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{AccountId}:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

from s3-credentials.

Success! I manually created a role using these settings:

Then I ran the following code:

import boto3
sts = boto3.client("sts")
bucket = "simonw-test-bucket-is-this-public"
sts.assume_role(
    RoleArn = "arn:aws:iam::462092780466:role/s3-credentials.s3-full-access",
    RoleSessionName="s3-credentials.simonw-test-bucket-is-this-public",
    Policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": ["s3:ListBucket"],
                "Resource": ["arn:aws:s3:::{}".format(bucket)],
            },
            {
                "Effect": "Allow",
                "Action": "s3:*Object*",
                "Resource": ["arn:aws:s3:::{}/*".format(bucket)],
            },
            {
                "Effect": "Allow",
                "Action": ["iam:GetUser"],
                "Resource": ["*"]
            },
        ],
    })
)

This gave me credentials which I then successfully used to list the contents of that bucket, but which failed with a permission error when I tried to list the contents of a different bucket.

from s3-credentials.

The policy I attached to it has this ARN: arn:aws:iam::aws:policy/AmazonS3FullAccess

from s3-credentials.

Here's what that role looks like if I access it using iam.get_role(RoleName="s3-credentials.s3-full-access"):

{
    "Path": "/",
    "RoleName": "s3-credentials.s3-full-access",
    "RoleId": "AROAWXFXAIOZK2Y3HBQZP",
    "Arn": "arn:aws:iam::462092780466:role/s3-credentials.s3-full-access",
    "CreateDate": "2021-11-10 01:08:03+00:00",
    "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::462092780466:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {}
            }
        ]
    },
    "Description": "Role used by the s3-credentials tool to create time-limited credentials that are restricted to specific buckets.",
    "MaxSessionDuration": 3600,
    "RoleLastUsed": {}
}

from s3-credentials.

OK, research is complete. Next step is to design and implement the feature.

from s3-credentials.