I want to make an inline policy (i.e, one that exists only in the context of an IAM permission group) a managed one (i.e, one that exists globally). Is that possible? If so, how? (I would prefer AWS GUI solutions and not CLI ones)
It is not possible to convert an inline policy to a managed policy.
What you can do is:
Go to IAM - Groups
Choose the group whose policy you want
Go to Permissions tab
Select inline policy
Open it in JSON Viewer and copy the whole JSON
Go to Policies
Click on Create a Policy button and follow the steps. On the first page, switch from Visual editor to JSON and paste your policy
I believe you are looking for a "Customer managed policy", see more at
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies
You can create standalone policies that you administer in your own AWS account, which we refer to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
There is also a section specifically for Converting an inline policy to a managed policy
Related
AWS Quicksight has a built in default role aws-quicksight-service-role-v0 which does not have any policy attached to it. Knowing its ARN, I want to attach policies to the role via terraform. How can I achieve this?
In other words, how can I import a manually/automatically created resource outside terraform, into terraform?
If you just want to add a new policy to an existing IAM role and you know its ARN, you don't have to import it. You can just use aws_iam_role_policy to define and add the policy that you want to pre-existing role.
To work with resources already existing use data-sources:
https://www.terraform.io/language/data-sources
In my particular case, the below reference helped to pick the role by name and attach needed policies to it. As explained it works per policy, meaning you need to pick one policy at a time and attach it to as many roles or users you want.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
What difference between policies under the paths "aws:policy/service-role" and "aws:policy/aws-service-role"?
Is there any the logic behind this design?
The AWS managed policies within the aws-service-role path are policies that be attached to a service-linked role only.
If you go to AWS Console -> IAM -> Policies, filter by AWS Managed Polices and start clicking on them, you'll notice the ones with the aws-servive-role path have a help label at the top that reads "This policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.". There might be a way to filter down to the service-linked policies in the AWS Console or CLI when desribing policies other than inspecting the paths, but it alludes me right now.
You can see their usage described here
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html.
Here also is the blog post that describes what a service-linked role is https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/. Basically these are roles that can only be assumed by a specific service type.
The AWS managed policies in the service-role path are policies that can be attached to any role including "normal/basic" roles. These types of roles can be assumed by users, EC2 instances, or anywhere else roles are assumed.
For example you could give someone permission to attach a linked-service role that has the policy arn:aws:iam::aws:policy/aws-service-role/AWSLambdaReplicator attached which is only attachable to a linked-role linked to the Lambda service. They would be able to use this role in the Lambda execution role, but they would not be able to use this role with another service like EC2 or an IAM user. This supports an admin allowing users to assign out permissions to new resources that users spins up (a new Lambda) that that the admin trusts the linked AWS service to use, but don't want to allow that user to access directly through their user account or give them to other custom applications running in AWS.
I am receiving this error message when trying to upload to an AWS Lambda. This is from the AWS Example - example
In particular it says IAM is not authorized to perform iam:ListRoles nor iam:ListPolicies.
I checked my IAM user's AWS Lambda ListFunctions in the AWS policy simulator which says it is working , although I do not know if this is relevant to my problem.
thanks
Error Message
Policy Simulator
Your IAM user which is being used here might not be having permissions to perform operations like iam:ListRoles. Please try out the following steps:
Go to your AWS Console. And select the IAM service.
Then choose the Users tab on the left hand side.
Select the particular user(it's named General I guess).
In the permissions tab, click on Add Permissions
A new view should be present where you need to select Attach existing policies directly option on the top.
Select the option Create Policy.
Now create a new policy by selecting service as IAM, and Actions as required(List actions) and select All resources, and create the policy.
Then select this newly created policy in the step 5 view and add permissions.
Now retry with the uploading of Lambda.
is there a way that i could update an existing roles iam (inline) policy.
Process followed for now:
1) I am able to create an role
2) I am able to attach a managed policy
3) I am able to attach an inline policy
I accept 2 parameters in the script one is an externalid and another is the role name. If the enduser or customer specifies an input for an existing role then i would have update the existing role's IAM Policy and i have to add new aws services to the existing policy
Thanks
Nataraj
This is straightforward with update stack.
ASR Thank you very much for your input
I have an IAM group called "devops" to which I want to apply a policy that will grant members of that group full access to EC2 instances tagged "Class=devops", and no access to any other EC2 instances. I found this great knowledge center article by Amazon which put me on the right path: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/.
The problem as I see it stems from the "Note" about halfway down that page:
"Full control" extends to all actions within the EC2 namespace with the exception of those Amazon EC2 API actions that currently do not support resource-level permissions. For more information, see Unsupported Resource-Level Permissions in the Amazon EC2 API Reference.
If you follow the link in the note to the list of unsupported resource-level permissions, you'll find that it's dozens of items long. You'll also find this statement:
All Amazon EC2 actions can be used in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon EC2 actions support resource-level permissions, which enable you to specify the resources on which an action can be performed. The following Amazon EC2 API actions currently do not support resource-level permissions; therefore, to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement.
In order to grant "allow" permissions to all of these.
If I wanted to grant permissions in this policy to all of those actions which don't support resource-level permissions, my policy would be hundreds of lines long! Is there a better and more concise way to do this?
There is one simple shortcut. A lot of the actions start with the same word such as "Describe". You can cover this list with a wildcard. Example, "Action" : "ec2:Describe*".
Just be careful with actions that will then override your other policy sections that DENY actions for specific resources.