I am logging as a IAM user which can switch to a Admin role. The user belongs to a UserGroup and the group has the permission to switch to a Admin role. There are no direct attachment of action policies anywhere.
I have configured my AWS CLI with the following.
[default]
region = eu-central-1
output = json
[profile parthiva]
aws_access_key_id = <key>
aws_secret_access_key = <secret>
[profile admin]
role_arn = arn:aws:iam::123456:role/AdminAccess
source_profile = parthiva
mfa_serial = arn:aws:iam::123456:mfa/s.parthiva
The role Admin looks like this.
RoleAdmin:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${DevAccountId}:root'
Condition:
Bool:
aws:MultiFactorAuthPresent: true
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
RoleName: AdminAccess
Whenever I do the CLI actions such as aws s3 ls --profile admin, it is asking for a MFA token and upon entering the value, the command is successful.
But I could not use this configuration for using CodeCommit HTTPS (GRC). The following is the error
parthiva@Parthiva-PC:~$ git clone codecommit::eu-central-1://test-repo
Cloning into 'test-repo'...
fatal: unable to access 'https://git-codecommit.eu-central-1.amazonaws.com/v1/repos/test-repo/': The requested URL returned error: 403
To me, it looks like this codecommit command while using the CLI in the background, is not taking up the profile admin.
Can anyone help me here?
First thing, as you have set the default region set as eu-central-1, so you can simply run:
git clone codecommit://test-repo test-repo
To clone a repository in a different AWS Region than the one configured in your profile, you need to include the AWS Region name. For example:
git clone codecommit::ap-northeast-1://test-repo test-repo
To clone the same repository using a profile named admin, you can try something like this:
git clone codecommit://admin@test-repo test-repo
Hope this helps.