Failing to PassRole with iam:PassedToService for CodeBuildSimple DB policy being ignored?Restrict assumption of AWS IAM Role to a specific GroupAWS S3 Bucket Policy not working when manually testing Lambda FunctionCodeBuild unable to create LogsValidationError when creating a SageMaker ModelAWS Cognito Rule based Authentication for Google IDPIdentityPoolRoleAttachment Resource cannot be updatedAWS API Gateway and VPC Blacklist resource policyAWS IAM limiting CreateTags permissionRestrict access to S3 static website that uses API Gateway as a proxy

Is there a way to scan someone's memories while they sleep without them knowing?

How to add multiple ip address in destination ip in acl rule

Do flight schools typically have dress codes or expectations?

Should I include salary information on my CV?

Is this one of the engines from the 9/11 aircraft?

Low-gravity Bronze Age fortifications

Why doesn't a marching band have strings?

What are the penalties for overstaying in USA?

Is it damaging to turn off a small fridge for two days every week?

In the Marvel universe, can a human have a baby with any non-human?

Can I compare DFT calculations with different grids?

Are Finite Automata Turing Complete?

What is the legal status of travelling with (unprescribed) methadone in your carry-on?

Require advice on power conservation for backpacking trip

How does a blind passenger not die, if driver becomes unconscious

Why do textbooks often include the solutions to odd or even numbered problems but not both?

Links to webpages in books

Abel-Jacobi map on symmetric product of genus 4 curve

Crossnumber puzzle

How to / is it possible to straighten a bent seatstay/chainstay on a steel frame? At home or inexpensively by a professional

Changing the opacity of lines on a plot based on their value

C-152 carb heat on before landing in hot weather?

Apply brace expansion in "reverse order"

Does the posterior necessarily follow the same conditional dependence structure as the prior?



Failing to PassRole with iam:PassedToService for CodeBuild


Simple DB policy being ignored?Restrict assumption of AWS IAM Role to a specific GroupAWS S3 Bucket Policy not working when manually testing Lambda FunctionCodeBuild unable to create LogsValidationError when creating a SageMaker ModelAWS Cognito Rule based Authentication for Google IDPIdentityPoolRoleAttachment Resource cannot be updatedAWS API Gateway and VPC Blacklist resource policyAWS IAM limiting CreateTags permissionRestrict access to S3 static website that uses API Gateway as a proxy






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.



The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.



The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.



 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]



This policy makes codebuild:StartBuild return an error:



User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role


Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.



The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.



I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.



It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.



What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?






amazon-web-services amazon-iam aws-codebuild







share|improve this question
























  • I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.

    – Pedro Arantes
    Mar 27 at 11:44






  • 2





    So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.

    – sudo
    Mar 28 at 16:30

















2















I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.



The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.



The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.



 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]



This policy makes codebuild:StartBuild return an error:



User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role


Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.



The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.



I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.



It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.



What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?






amazon-web-services amazon-iam aws-codebuild







share|improve this question
























  • I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.

    – Pedro Arantes
    Mar 27 at 11:44






  • 2





    So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.

    – sudo
    Mar 28 at 16:30













2












2








2


2






I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.



The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.



The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.



 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]



This policy makes codebuild:StartBuild return an error:



User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role


Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.



The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.



I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.



It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.



What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?






amazon-web-services amazon-iam aws-codebuild







share|improve this question
















I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.



The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.



The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.



 "Version": "2012-10-17",
 "Statement": [
 "Effect": "Allow",
 "Action": "iam:PassRole",
 "Resource": "arn:aws:iam::*:role/my-codebuild-role",
 "Condition": 
 "StringLike": 
 "iam:PassedToService": "*"
 
 
 
 ]



This policy makes codebuild:StartBuild return an error:



User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
 is not authorized to perform: iam:PassRole on resource:
 arn:aws:iam::123456789:role/my-codebuild-role


Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.



The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.



I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.



It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.



What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?






amazon-web-services amazon-iam aws-codebuild




amazon-web-services amazon-iam aws-codebuild






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 25 at 10:59







svenx

















asked Mar 25 at 10:16









svenxsvenx

1615 bronze badges




1615 bronze badges












  • I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.

    – Pedro Arantes
    Mar 27 at 11:44






  • 2





    So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.

    – sudo
    Mar 28 at 16:30

















  • I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.

    – Pedro Arantes
    Mar 27 at 11:44






  • 2





    So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.

    – sudo
    Mar 28 at 16:30
















I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.

– Pedro Arantes
Mar 27 at 11:44





I'm getting the same problem but when I insert a condition on AssumeRolePolicyDocument. I've tested many conditions as you did and none of them worked.

– Pedro Arantes
Mar 27 at 11:44




2




2





So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.

– sudo
Mar 28 at 16:30





So StringEqualsIfExists works. Which makes me think codebuild.amazonaws.com is not present in the request.

– sudo
Mar 28 at 16:30












0






active

oldest

votes














Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55335505%2ffailing-to-passrole-with-iampassedtoservice-for-codebuild%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55335505%2ffailing-to-passrole-with-iampassedtoservice-for-codebuild%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

Image
Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
Read more

Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

Image
Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
Read more

Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

Image
What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
Read more