In IAM, what is the purpose/use of the "Path" variable when creating an IAM User via the CLI or API?
The path variable in IAM is used for grouping related users and groups in a unique namespace, usually for organizational purposes.
From Friendly Names and Paths:
If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM entities, you can also give the entity an optional path. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the Policy Simulator API Based on User Path. For additional examples of how you might use paths, see IAM ARNs.
For example, a large organization may have users in paths /WestRegion/AZ and /EastRegion/NY. This would correspond to internal divisions of the organization.
Here are some examples from the above document:
An IAM user called Bob in a given account:
arn:aws:iam::123456789012:user/Bob
Another different user Bob with a path reflecting an organization chart:
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
An IAM group:
arn:aws:iam::123456789012:group/Developers
An IAM group with a path:
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developer
Note that this metadata is not exposed in the Console. My guess is that usage of a user path is more suited for large organizations, or advanced users, that would normally rely on CloudFormation and/or the AWS CLI for managing their AWS resources. For example, the --path-prefix is a parameter to aws iam list-users.
See http://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
Related
I have a centralized CloudTrail bucket which contains the CloudTrail logs of multiple accounts. Is it possible to write a bucket policy which allows that account 123456789112 can only download logs from Awslogs/123456789112 and that account 456789012345can only download logs from Awslogs/456789012345etc ? I don't want to hardcode this for each account since I have a lot of accounts. Is there a way to do this?
AWS IAM policies (and bucket policies) support a few policy variables that you can use as dynamic values such as aws:SourceIp, however account ID is not one of them. There is a aws:userid variable but it's the account ID only for the root user, for other principals like IAM user/role it is the user/role name. Technically if you used the AWS root user to access this bucket, you could use the userid variable in the Resource element to achieve what you want but it is strongly recommended not to use the root user for such everyday tasks (AWS recommendation).
There are also policy condition keys like aws:PrincipalAccount but without a relevant policy variable these cannot be used to dynamically compare the requesting account ID with the resource. There are no other IAM feature that could be used to achieve this.
I don't know your exact environment but a few things to consider:
I'd recommend to explicitly list the allowed principal ARNs anyway because even if you have many accounts, you should allow only specific IAM users/roles to read the bucket to follow the least privilege principle. Granting access based on account ID would allow all users/roles in that account to read these files and not just specific services. (unless this is the objective)
since this is a cross-account access (principal in account A wants to read from the bucket located in account B), you will need to allow this access on both sides, both in the requester's IAM policy and the target bucket's policy. Just a heads up. More info on AWS.
I would consider using Terraform to simplify the management of these resources
Hope this helps, let me know if you have more questions!
After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.
At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles.
I search for the permission, then scroll up to the see the role name and all the other permissions in that role.
It works but is slow for what must be a common task.
Is there a better web page or a gcloud api command that would work better.
The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.
In addition to the page you cited you can later, using the gcloud CLI, describe a role and see the different permissions it grants. For example:
gcloud iam roles describe roles/iam.roleViewer
The command will output:
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA
title: Role Viewer
AFAIK, the gcloud CLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.
Based on GCP documentation one can check the pre-defined roles given a permission
I'm trying to list all my GCP projects under the organization using IAM Custom Role and assign it to my new Service Account.
Could you let me know what exactly permissions should I add to this role for fine-grained access?
I also don't want to use these default permissions:
roles/viewer
roles/editor
roles/owner
According to Google's documentation about access control for projects :
When creating a Custom Role for use with Resource Manager, be aware of the following points:
List and get permissions, such as resourcemanager.projects.get/list, should always be granted as a pair.
When your Custom Role includes the folders.list and folders.get permissions, it should also include projects.list and projects.get.
So in order to be able to list every projects of an organisation, you'll need to provide the following permissions to your Custom Role:
resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.folders.get
resourcemanager.folders.list
Also, please note that the predefined role roles/browser regroup most of this scope without being overly permissive.
Granting new rights to a user or a Service Account is not necessarily immediate and may take up to 5/10min in order to be propagated.
In Google Cloud Platform (GCP), you can only get the IAM policy for a specific resource by calling getIamPolicy (get-iam-policy in gcloud).
Is there a way to list, search, list, search, or find IAM policies across resources, services, or projects?
This is needed to answer questions like:
What roles does a service account have?
Which resources are shared publicly?
Do policies contain deleted users?
Does a user still appear in any policies after they leave my company?
Does a user has a given role?
You can use search-all-iam-policies to search all the IAM policies across services, resource types, projects within a project, folder, or organization.
To browse policies in a project with number 123 (note that only policies for the listed resource types are supported):
gcloud asset search-all-iam-policies --scope=projects/123
Who has the role Owner in my org?
gcloud asset search-all-iam-policies --scope=organizations/456 --query="policy:roles/owner"
Who can change project IAM policies in my org?
--query='policy.role.permissions:resourcemanager.projects.setIamPolicy'
Which roles does an account has?
--query="policy:123-compute#developer.gserviceaccount.com"
Which resources are shared publicly?
--query="policy:(allUsers OR allAuthenticatedUsers)"
Are there deleted accounts in policies?
--query="policy:deleted"
Does amy#bar.com appear in any policy?
--query="policy:amy#bar.com"
Does amy#bar.com have the Owner role?
--query="policy:(roles/owner amy#bar.com)"
How to find all the IAM policies for a given resource type (e.g., projects)?
--query="policy:roles/owner resource://cloudresourcemanager.googleapis.com/projects"
Is there any gmail account having the role Owner?
`--query="policy:(roles/owner *gmail*)"
You can change the scope to a folder or a project.
To use the command, you must:
Enable Cloud Asset API, and
Have cloudasset.assets.searchAllIamPolicies permission upon the scope, which is included in these roles:
roles/cloudasset.viewer
roles/cloudasset.owner
roles/viewer
roles/editor
roles/owner
Documentation:
More gcloud examples: https://cloud.google.com/asset-inventory/docs/searching-iam-policies-samples
Guide: https://cloud.google.com/asset-inventory/docs/searching-iam-policies
API reference: https://cloud.google.com/asset-inventory/docs/reference/rest/v1p1beta1/iamPolicies/searchAll
Searchable resource types: https://cloud.google.com/asset-inventory/docs/supported-asset-types#searchable_asset_types
I am trying to figure out a way to allow a GCP user to list buckets but only those where the user has permissions (through ACL). The reason is because it can be overwhelming the number of buckets and the user experience would not be the best. Any ideas ?
Thanks!
I am trying to figure out a way to allow a GCP user to list buckets
but only those where the user has permissions (through ACL).
You cannot accomplish your goal using either Bucket ACLs or IAM permissions.
To list Google Cloud Storage buckets, you need the IAM permission storage.buckets.list.
This permission grants the IAM member account permission to list all buckets in the project. You cannot restrict this permission further to list only specific bucket names. This permission does not allow listing the objects in a bucket.
For a future design decision, you can use different projects and organize your buckets under projects. This will limit access to only IAM members of that project.
When you create a bucket you permanently define its name, location and the project it is part of. These characteristics cannot be changed later.
If you're using the CLI, you can write a script that gets the permissions for each listed bucket, and only displays it if the user account is in the permission list:
for bucket in $(gsutil ls); do
if gsutil acl get $bucket|grep -q $(gcloud config get-value account) ; then
echo $bucket;
fi;
done
Note that inherited permissions (e.g. at the project level) will not appear with this script.
This can't be accomplished with the console, but if you need a web interface listing only certain buckets, then you can build it yourself by calling the API and doing the same thing that the CLI script does.