I'm trying to configure permissions for CloudTrail > S3 > SQS > Splunk workflow.
https://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions
- I created a role, attached a policy to grant permissions for S3, SQS etc.
- I went to Trust Relation policy and added the same account number and the user because the user will be in the same account.
- I then go to the user and attach a policy to assumeRole and provided the role name and full ARN.
- I then launch an EC2 instance, go to aws configure, provided access, secret keys and region.
- Then I run aws s3 ls or aws s3 list-queues and I get an error below. Not sure what I'm doing wrong here.
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied.
Splunk policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:GetQueueUrl",
"sqs:DeleteMessage",
"s3:Get*",
"s3:List*",
"s3:Delete*"
],
"Resource": [
"*"
]
}
]
}
Trust Relation:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:user/username"
},
"Action": "sts:AssumeRole",
"Condition": {}
Username policy:
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::XXXXXXXXXXXX:role/roleforsplunk"
Best Answer
You don’t need TrustRelation when assuming role from the same account. Delete it and it should work.
By the way do not use access and secret keys on EC2 instances. Instead use EC2 Instance Role that will give the required perms to your Splunk process.
Also there is probably no need to assume another role from the EC2 Instance Role - simply give that role the required policy / permissions.
Hope that helps :)