使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

EventBridge Scheduler cannot assume role restricted by ScheduleGroup ARN

0

Hello, I am migrating an IAM role's trust policy to limit access using the ScheduleGroup ARN instead of Schedule ARN in accordance with https://docs.aws.amazon.com/scheduler/latest/UserGuide/cross-service-confused-deputy-prevention.html

I only want to allow schedules in the default schedule group to assume the role, so my trust policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "scheduler.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": "arn:aws:scheduler:<ACCOUNT_REGION>:<ACCOUNT_ID>:schedule-group/default",
                    "aws:SourceAccount": "<ACCOUNT_ID>"
                }
            }
        }
    ]
}

However, when I attempt to create a schedule in the default schedule group through the AWS web console, I get the error "The execution role you provide must allow AWS EventBridge Scheduler to assume the role."

Even using StringLike and arn:aws:scheduler:*:<ACCOUNT_ID>:schedule-group/* for aws:SourceArn results in the same error. Reverting back to using the Schedule ARN still works.

What am I missing? Do I need to somehow tell EventBridge Scheduler to present a ScheduleGroup ARN instead of a Schedule ARN?

Edit to add CloudTrail logs:

UpdateAssumeRolePolicy:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Root",
        "principalId": "XXXXXXXXXX",
        "arn": "arn:aws:iam::XXXXXXXXXX:root",
        "accountId": "XXXXXXXXXX",
        "accessKeyId": "XXXXXXXXXX",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-10-25T12:52:40Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2023-10-25T13:56:38Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "UpdateAssumeRolePolicy",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XXXXXXXXXX",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "policyDocument": "{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Principal\": {\n\t\t\t\t\"Service\": \"scheduler.amazonaws.com\"\n\t\t\t},\n\t\t\t\"Action\": \"sts:AssumeRole\",\n\t\t\t\"Condition\": {\n\t\t\t\t\"StringLike\": {\n\t\t\t\t\t\"aws:SourceAccount\": \"XXXXXXXXXX\",\n\t\t\t\t\t\"aws:SourceArn\": \"arn:aws:scheduler:*:XXXXXXXXXX:schedule-group/*\"\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t]\n}",
        "roleName": "XXXXXXXXXX"
    },
    "responseElements": null,
    "requestID": "50709fc9-386a-4f95-be16-44cf9591e9f7",
    "eventID": "c80a532c-2295-4f00-84e4-36234e5c4389",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXXXXXXXX",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}

Subsequent CreateSchedule:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "Root",
        "principalId": "XXXXXXXXXX",
        "arn": "arn:aws:iam::XXXXXXXXXX:root",
        "accountId": "XXXXXXXXXX",
        "accessKeyId": "XXXXXXXXXX",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-10-25T12:52:40Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2023-10-25T14:02:57Z",
    "eventSource": "scheduler.amazonaws.com",
    "eventName": "CreateSchedule",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XXXXXXXXXX",
    "userAgent": "XXXXXXXXXX",
    "errorCode": "ValidationException",
    "errorMessage": "The execution role you provide must allow AWS EventBridge Scheduler to assume the role.",
    "requestParameters": {
        "name": "create_schedule_test",
        "scheduleExpression": "at(2023-10-26T11:11:00)",
        "description": "",
        "scheduleExpressionTimezone": "America/New_York",
        "state": "ENABLED",
        "flexibleTimeWindow": {
            "mode": "OFF"
        },
        "clientToken": "XXXXXXXXXX"
    },
    "responseElements": null,
    "requestID": "4edc45a0-e62b-478a-93ee-63ddadfcd8a8",
    "eventID": "03773412-bf04-492d-b9e4-ed0e61b342ec",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXXXXXXXX",
    "eventCategory": "Management",
    "tlsDetails": {
        "clientProvidedHostHeader": "scheduler.us-east-1.amazonaws.com"
    },
    "sessionCredentialFromConsole": "true"
}
主題
無伺服器應用程式整合安全性、身分識別與合規
標籤
Amazon EventBridgeIAM 政策
語言
English
stochastic_pelican
已提問 7 個月前檢視次數 423 次
2 個答案
0

Hi,

I have tried the below condition but cannot reproduce the error:

        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "123456789012",
                "aws:SourceArn": "arn:aws:scheduler:us-east-1:123456789012:schedule-group/default"
            }
        }

Did you use the AWS console or AWS CLI for the API call? If without the condition, does your call pass? Please also make sure the region is correct.

profile pictureAWS
Feng_C
已回答 7 個月前
  • stochastic_pelican
    7 個月前

    Thanks - this is on the AWS console, not the CLI. It passes without the condition, and when the SourceArn is arn:aws:scheduler:*:<ACCOUNT_ID>:*, but not arn:aws:scheduler:*:<ACCOUNT_ID>:schedule-group/*. I'll post the cloudtrail logs shortly, as perhaps there's more info there.

0

Not sure if you are using your scheduler group in your trust policy instead of default as mentioned below.

aws:SourceArn": "arn:aws:scheduler:us-west-2:123456789012:schedule-group/your-schedule-group

Sachin
已回答 7 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容