Discover Your IAM Role With: sts get-caller-identity

When I’m working with AWS managed services like Beanstalk, ECS, Lambda, CodePipeline, CodeBuild, or whatever, I often have difficulty remembering which roles and policies these managed services are operating under. The aws sts get-caller-identity command provides a quick solution to this problem. As the documentation says, it…

Returns details about the IAM user or role whose credentials are used to call the operation.

aws.sts get-caller-identity documentation

You typically find the AWS CLI installed on the services I mentioned so you can just run the command (no permissions are required to run it) and it will very clearly display the role (or user) you’re currently operating with.

I recently figured this out while debugging some permissions issues with a CodePipeline pipeline. I had a relatively simple pipeline that checked source out of CodeCommit, built it with CodeBuild and then deployed it to S3 from CodePipeline. When I added a Terraform command to the CodeBuild script I started seeing Access Denied errors.

I was working on the assumption that the CodeBuild operations were being performed with the role I assigned to the CodeBuild job but then I started thinking maybe I had that wrong and it was actually the CodePipeline roles. My confidence was sinking.

When I continued to have no luck adding the necessary permission, I decided I needed to verify that I was making changes to the correct role. A little digging around got me to the the get-caller-identity API so I added it to my buildspec.yml as follows:

A quick check of the CloudWatch logs for the build confirmed that I was in fact making changes to the correct role (it was using the role assigned to CodeBuild).

Feeling a little more confident, I dug back into the policies attached to the role and discovered that s3:ListObjects is not a valid action in an IAM Policy statement. It’s a little unfortunate because the failure occurred on a ListObjects API call but the correct statement action ended up being s3:ListBucket.

Although my call to get-caller-identity only confirmed what I had suspected to be true, it made me more confident to keep digging into the policy to get it right. Too often the desire is to just throw a * in there, see that it works and move on. A little more context can help keep your policies only as permissive as they need to be.

Locking Down Your S3 Buckets With Terraform

Every time I hear about a company’s critical data being left exposed on the internet, I start thinking about my S3 buckets. I recently started creating some buckets with Terraform and realized acl = "private" isn’t as private as we would like. With that setting it’s still possible for objects to be put into the bucket with less restrictive ACLs. You know you only have "private" set when you see the text “Objects can be public” next to the bucket in the console.

To lock down your bucket, you’ll want to use the aws_s3_bucket_public_access_block resource. The full details can be found in the AWS S3 Block Public Access documentation. Here’s a full Terraform example:

resource "aws_s3_bucket" "private-bucket" {
  bucket = "private-bucket-sample"
  acl = "private"
}

resource "aws_s3_bucket_public_access_block" "private-bucket-public-access-block" {
  bucket = aws_s3_bucket.private-bucket.id
  block_public_acls = true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
}

When you’ve applied that block, you should see “Bucket and objects not public” next to your bucket in the console.

If you need public access to your S3 objects use CloudFront or maybe signed URLs. If you really must have public S3 objects, I would suggest moving that data to a separate AWS account. It’s pretty easy to manage multiple AWS accounts these days and having a separate account for your public bucket makes a lot of sense.

The iPhone Switch

I’ve been using my iPhone XS for about 3 weeks now after my hellish Google support experience. So far the transition has been mostly painless. Here’s what I’m enjoying from the hardware side of things.

Battery Life

There’s a Google billboard off the 101 on your way out of San Francisco where Google claims the Pixel 3’s battery life is superior to the iPhone XS. My experience has been quite the opposite. I would typically get range anxiety with my Pixel 3 if I was going to have it away from a charger for a full day. My iPhone XS has been lasting about 1.5 days with typical usage before I get to around 30% remaining.

Bluetooth

I’m not sure how they do it but all my Bluetooth devices sound better connected to my iPhone than they did with any of my Pixels. They connect quickly and I rarely get any drop outs even with the phone in my front pocket (i.e. my body between the phone and my headphones). I also have a Wahoo Tickr heart rate monitor and that connected right way with Strava. I can’t believe Google makes this seem so hard.

Face ID

I’ve been using fingerprint readers on my phones since the Nexus 6P and I’ve found them to work pretty well. I was a little surprised the iPhone XS didn’t have a fingerprint reader and I wasn’t sure what to think about using my face to unlock my phone. According to Apple ” Face ID data doesn’t leave your device and is never backed up to iCloud or anywhere else.” I’m not willing to give my face to the government but I am willing to trust Apple (at least for now) when they say my data is staying on the device.

So far the results have been pretty impressive, it picks up my face when I’m looking at the front of the phone but (more importantly to me) it doesn’t pick it up when I’ve got my sunglasses on or if I’m looking away. It even works well in low light situations. I experimented with tuning down the security level by turning off the attention awareness. It works as advertised but I prefer the added level of security that the attention awareness offers.

Camera

I haven’t taken a load of pictures but the few I have taken have turned out well enough. I took this shot six miles into the Bridge to Bridge run and yet it’s still crisp and looks like I had a steady hand (I didn’t!).

Fort Point during the Bridge to Bridge Run

By most standards, the quality should phenomenal but the Pixel camera was pretty good… when it worked. That’s the important thing, I haven’t had the iPhone camera fail on me once when I wanted to pop off a shot. Even before my recent debacle with Google, the Pixel camera was somewhat unreliable.

Conclusions

I’m pretty happy with my switch to the iPhone, aside from the dent in the wallet, it has been a pretty smooth transition for a decade long Android user.

Symphony: Numbered Headings

I want the headings in my documents to have heading numbers.  That way when I’m speaking to someone on the phone or via email, I can have them quickly navigate the document (e.g. “It’s in the first paragraph of section 2.2 on page 14.”).  If you’re coming from Word, figuring out how to do this in Lotus Symphony isn’t necessarily easy but this lesson should show you how.Read More »

Lotus Symphony

Last fall IBM introduced their Lotus Symphony product (re-introduced really).  This time around Symphony is a reworked version of the Open Office suite of business applications (word processor, spreadsheet, and presentation) integrated with the Eclipse application framework.  I’ve been a huge fan of Eclipse since it first appeared as a replacement for the IBM Visual Age development environment.  Eclipse has since grown into a multi-purpose framework for developing cross-platform applications.

So, why am I writing about this?  Well, I’ve become increasingly frustrated with Microsoft Office and I’m at the point where I think it’s time to make a fresh start.  Given the amount of time I have invested in learning Office, that’s not a decision made lightly.  Symphony is still in beta release so my hope is that IBM will listen to user feedback and make an office suite that meets my needs.

As I go about my learning process I’m going to post my experiences here.  Hopefully I’ll be able to provide some useful information for others making the transition.  Stay tuned…

SSH Tunnels

Usually the Internet works great and I can get to everything I need to from wherever I may be.  Sometimes, however, I find myself in a network with a firewall that blocks access to something I want.  At times like those I revert to using SSH tunnels.  Unfortunately (depending on how you look at it) I don’t find myself in those situations often enough to memorize the proper command syntax.  Hopefully this blog entry will save me the hassle of sifting through Google results for the solution.Read More »