Authentication and access control for AWS RoboMaker - AWS RoboMaker

Authentication and access control for AWS RoboMaker

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS RoboMaker resources. Administrators use IAM to control who is authenticated (signed in) and authorized (has permissions) to use AWS RoboMaker resources. IAM is a feature of your AWS account offered at no additional charge.

Important

To get started quickly, review the introductory information on this page, and then see Getting started with IAM, and What are policies?.

Topics

Introduction to authorization and access control

AWS RoboMaker is integrated with AWS Identity and Access Management (IAM), which offers a wide range of features:

  • Create users and groups in your AWS account.

  • Easily share your AWS resources between the users in your AWS account.

  • Assign unique security credentials to each user.

  • Control each user's access to services and resources.

  • Get a single bill for all users in your AWS account.

For more information about IAM, see the following:

Permissions required

To use AWS RoboMaker or to manage authorization and access control for yourself or others, you must have the correct permissions.

Permissions Required to Use the AWS RoboMaker Console

To access the AWS RoboMaker console, you must have a minimum set of permissions that allows you to list and view details about the AWS RoboMaker resources in your AWS account. If you create an identity-based permissions policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities with that policy.

For read-only access to the AWS RoboMaker console, use the AWSRoboMakerReadOnlyAccess policy.

If an IAM user wants to create a simulation job, you need to grant iam:PassRole permission to that user. For more information about passing a role, see Granting a User Permissions to Pass a Role to an AWS Service.

For example, you can attach the following policy to a user. It provides permission to create a simulation job:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/S3AndCloudWatchAccess" } ] }

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, you need only the permissions that match the API operation you're trying to perform.

Permissions Required to View Worlds in the AWS RoboMaker in the Console

You can grant permissions required to view AWS RoboMaker worlds in the AWS RoboMaker console by attaching the following policy to a user:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "robomaker: DescribeWorld" ], "Resource": "*", "Effect": "Allow" } ] }

Permissions required to use the AWS RoboMaker simulation tools

The IAM user or role used to create simulation will automatically have permission to access the simulation tools. If it is a different user or role, it should have the robomaker:CreateSimulationJob privilege.

Permissions Required for Authentication Management

To manage your own credentials, such as your password, access keys, and multi-factor authentication (MFA) devices, your administrator must grant you the required permissions. To view the policy that includes these permissions, see Allow users to self-manage their credentials.

As an AWS administrator, you need full access to IAM so that you can create and manage users, groups, roles, and policies in IAM. You should use the AdministratorAccess AWS managed policy that includes full access to all of AWS. This policy does not provide access to the AWS Billing and Cost Management console or allow tasks that require root user credentials. For more information, see AWS Tasks That Require AWS account root user Credentials in the AWS General Reference.

Warning

Only an administrator user should have full access to AWS. Anyone with this policy has permission to fully manage authentication and access control, in addition to modifying every resource in AWS. To learn how to create this user, see Create your IAM Admin user.

Permissions required for access control

If your administrator provided you with IAM user credentials, they attached policies to your IAM user to control what resources you can access. To view the policies attached to your user in the AWS Management Console, you must have the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": [ "arn:aws:iam::*:user/${aws:username}" ] }, { "Sid": "ListUsersViewGroupsAndPolicies", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }

If you need additional permissions, ask your administrator to update your policies to allow you to access the actions that you require.

Permissions required for a simulation job

When you create a simulation job, it must have an IAM role with the permissions below.

  • Replace my-input-bucket with the name of the bucket containing the robot and simulation application bundles.

  • Replace my-output-bucket to point to the bucket were AWS RoboMaker will write output files.

  • Replace account# with your account number.

Public ECR jobs require separate permissions, such as ecr-public:GetAuthorizationToken, sts:GetServiceBearerToken, and any other permissions required for your final implementation. For more information, see Public repository policies in the Amazon ECR User Guide.

Jobs with Private ECR images
{ "Version": "2012-10-17", "Statement": [ { "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::my-input-bucket" ], "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::my-input-bucket/*" ], "Effect": "Allow" }, { "Action": "s3:Put*", "Resource": [ "arn:aws:s3:::my-output-bucket/*" ], "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:account#:log-group:/aws/robomaker/SimulationJobs*" ], "Effect": "Allow" }, { "Action": [ "ecr:BatchGetImage", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer" ], "Resource": "arn:partition:ecr:region:account#:repository/repository_name", "Effect": "Allow" } ] }
Jobs with Public ECR images
{ "Version": "2012-10-17", "Statement": [ { "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::my-input-bucket" ], "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::my-input-bucket/*" ], "Effect": "Allow" }, { "Action": "s3:Put*", "Resource": [ "arn:aws:s3:::my-output-bucket/*" ], "Effect": "Allow" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:account#:log-group:/aws/robomaker/SimulationJobs*" ], "Effect": "Allow" }, { "Action": [ "ecr-public:GetAuthorizationToken", "sts:GetServiceBearerToken" ], "Resource": "*", "Effect": "Allow" } ] }

The policy must be attached to a role with the following trust policy.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "robomaker.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "account#" // Account where the simulation job resource is created }, "StringEquals": { "aws:SourceArn": "arn:aws:robomaker:region:account#:simulation-job/*" } } } }

Condition keys prevent an AWS service from being used as a confused deputy during transactions between services. See SourceAccount and SourceArn for additional information about condition keys.

Permissions Required to use Tags from a ROS Application or ROS Command Line

You can tag, untag, and list tags in your simulation job from the ROS command-line or in your ROS application while it is running. You must have an IAM role with the permissions below. Replace account# with your account number.

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "robomaker:TagResource", "robomaker:UntagResource", "robomaker:ListTagsForResource", ], "Resource": [ "arn:aws:robomaker:*:account#:simulation-job*" ], "Effect": "Allow" } ] }

The policy must be attached to a role with the following trust policy:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "Service": "robomaker.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "account#" // Account where the simulation job resource is created }, "StringEquals": { "aws:SourceArn": "arn:aws:robomaker:region:account#:simulation-job/*" } } } }

Condition keys prevent an AWS service from being used as a confused deputy during transactions between services. See SourceAccount and SourceArn for additional information about condition keys.

Understanding how AWS RoboMaker works with IAM

Services can work with IAM in several ways:

  • Actions – AWS RoboMaker supports using actions in a policy. This allows an administrator to control whether an entity can complete an operation in AWS RoboMaker. For example, to allow an entity to view a policy by performing the GetPolicy AWS API operation, an administrator must attach a policy that allows the iam:GetPolicy action.

  • Resource-level permissions – AWS RoboMaker does not support resource-level permissions. Resource-level permissions allow you to use ARNs to specify individual resources in the policy. Because AWS RoboMaker does not support this feature, then you must choose All resources in the policy visual editor. In a JSON policy document, you must use * in the Resource element.

  • Authorization based on tags – AWS RoboMaker does support authorization based tags. This feature allows you to use resource tags in the condition of a policy.

  • Temporary credentials – AWS RoboMaker supports temporary credentials. This feature allows you to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

  • Service-linked roles – AWS RoboMaker supports service roles. This feature allows a service to assume a service-linked role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account, and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

  • Service roles – AWS RoboMaker supports service roles. This feature allows a service to assume a service role on your behalf. This role allows the service to access resources in other services to complete an action on your behalf. Service roles appear in your IAM account, and are owned by the account. This means that an IAM administrator can change the permissions for this role. However, this might break the functionality of the service.

Troubleshooting authentication and access control

Use the following information to help you diagnose and fix common issues that you might encounter when working with IAM.

I am not authorized to perform an action in AWS RoboMaker

If you receive an error in the AWS Management Console that tells you that you're not authorized to perform an action, then you must contact the administrator that provided you with your user name and password.

The following example error occurs when an IAM user named my-user-name tries to use the console to perform the CreateRobotApplication action, but does not have permissions.

User: arn:aws:iam::123456789012:user/my-user-name is not authorized to perform: aws-robomaker:CreateRobotApplication on resource: my-example-robot-application

For this example, ask your administrator to update your policies to allow you to access the my-example-robot-application resource using the aws-robomaker:CreateRobotApplication action.

I'm an administrator and want to allow others to access AWS RoboMaker

To allow others to access AWS RoboMaker you must create an IAM entity (user or role) for the person or application that needs access. They will use the credentials for that entity to access AWS. You must then attach a policy to the entity that grants them the correct permissions in AWS RoboMaker.

To get started right away, see Getting started with IAM.