1

I have the following policy configured in a IAM user and in one TVM because I need acces from S3 in an Android app but, whenever I try to save my credentials i get the same "500 - Server error". I dont have idea about the problem but i guess that the policy is bad configured:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:GetFederationToken",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:GetUser",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
gunr2171
  • 16,104
  • 25
  • 61
  • 88
gzanitti
  • 117
  • 1
  • 12
  • 1
    There are 2 policies. Did you restrict the policy that the TVM uses for generating temporary credentials? The file is src/TokenVendingMachinePolicy.json. Not restricting this file will result in a 500 error. – Bob Kinney Nov 04 '13 at 20:18
  • Yes, I have this same policy in both. Is that a problem? – gzanitti Nov 05 '13 at 02:07
  • 1
    You'll want to restrict the actual TVM policy to only those actions necessary in your mobile app. Leaving in the STS, IAM and SimpleDB permissions would potentially allow the mobile app to modify the TVM table. – Bob Kinney Nov 05 '13 at 14:58
  • Thanks! How could limit the use of DB to allow the TVM function but not the other operations? Currently I have the following policy: { "Statement": [ { "Effect": "Allow", "Action": "sts:GetFederationToken", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:GetUser", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sdb:*", "Resource": "*" }] } – gzanitti Nov 05 '13 at 19:07
  • Either simply don't add the statements for iam and sdb in the TokenVendingMachinePolicy.json or do as the example policy does and deny the operations: {"Statement": [ {"Effect":"Allow","Action":["s3:*", "sdb:*", "sqs:*", "sns:*", "dynamodb:*"],"Resource":"*"}, {"Effect":"Deny","Action":"sdb:*","Resource":["arn:aws:sdb:__REGION__:__ACCOUNT_ID__:domain/__USERS_DOMAIN__","arn:aws:sdb:__REGION__:__ACCOUNT_ID__:domain/__DEVICE_DOMAIN__"]}, {"Effect":"Deny","Action":"iam:*","Resource":"*"} ] } – Bob Kinney Nov 05 '13 at 20:55
  • Please do not add "Solved" to your question title, or add the answer into your question. Answers go in the _Answers_ section. And I have already edited out "solved" from your title once. Don't do it again. – gunr2171 May 08 '14 at 20:44

1 Answers1

0

Disclamer: this answer was moved from the question to a community wiki here.

Solution: The problem was that I also needed to add permissions for sdb, where the credentials are stored.

gunr2171
  • 16,104
  • 25
  • 61
  • 88