Styjun

Is there a way to scan someone's memories while they sleep without them knowing?

How to add multiple ip address in destination ip in acl rule

Do flight schools typically have dress codes or expectations?

Should I include salary information on my CV?

Is this one of the engines from the 9/11 aircraft?

Low-gravity Bronze Age fortifications

Why doesn't a marching band have strings?

What are the penalties for overstaying in USA?

Is it damaging to turn off a small fridge for two days every week?

In the Marvel universe, can a human have a baby with any non-human?

Can I compare DFT calculations with different grids?

Are Finite Automata Turing Complete?

What is the legal status of travelling with (unprescribed) methadone in your carry-on?

Require advice on power conservation for backpacking trip

How does a blind passenger not die, if driver becomes unconscious

Why do textbooks often include the solutions to odd or even numbered problems but not both?

Links to webpages in books

Abel-Jacobi map on symmetric product of genus 4 curve

Crossnumber puzzle

How to / is it possible to straighten a bent seatstay/chainstay on a steel frame? At home or inexpensively by a professional

Changing the opacity of lines on a plot based on their value

C-152 carb heat on before landing in hot weather?

Apply brace expansion in "reverse order"

Does the posterior necessarily follow the same conditional dependence structure as the prior?

Failing to PassRole with iam:PassedToService for CodeBuild

Simple DB policy being ignored?Restrict assumption of AWS IAM Role to a specific GroupAWS S3 Bucket Policy not working when manually testing Lambda FunctionCodeBuild unable to create LogsValidationError when creating a SageMaker ModelAWS Cognito Rule based Authentication for Google IDPIdentityPoolRoleAttachment Resource cannot be updatedAWS API Gateway and VPC Blacklist resource policyAWS IAM limiting CreateTags permissionRestrict access to S3 static website that uses API Gateway as a proxy

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

2

2

I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.

The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.

The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.

 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]

This policy makes codebuild:StartBuild return an error:

User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role

Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.

The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.

I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.

It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.

What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?

amazon-web-services amazon-iam aws-codebuild

share|improve this question

edited Mar 25 at 10:59

svenx

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.
  
  – Pedro Arantes
  Mar 27 at 11:44
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.
  
  – sudo
  Mar 28 at 16:30
  

  
  
  
  

add a comment | 

2

2

I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.

The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.

The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.

 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]

This policy makes codebuild:StartBuild return an error:

User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role

Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.

The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.

I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.

It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.

What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?

amazon-web-services amazon-iam aws-codebuild

share|improve this question

edited Mar 25 at 10:59

svenx

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.
  
  – Pedro Arantes
  Mar 27 at 11:44
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.
  
  – sudo
  Mar 28 at 16:30
  

  
  
  
  

add a comment | 

I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.

The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.

The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.

 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]

This policy makes codebuild:StartBuild return an error:

User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role

Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.

The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.

I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.

It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.

What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?

amazon-web-services amazon-iam aws-codebuild

share|improve this question

edited Mar 25 at 10:59

svenx

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges

 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]

User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role

share|improve this question

edited Mar 25 at 10:59

svenx

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges

share|improve this question

edited Mar 25 at 10:59

svenx

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges

asked Mar 25 at 10:16

svenxsvenx

16155 bronze badges