The Cloudformation documentation describes the following relationships between the parts of an IAM Role specification:
Service (Lambda in my case)
has one or more
Role/s
which contain one or more
Policy/ies
which contain a
Policy Document
which contains one or more
Statement/s
which contains one or more
{Effect,[Action],Resource} objects
which specify one or more
Action/s
Suppose I want to give a [Role] permission to do an [Action]. How do I determine where in the above hierarchy the permission should be specified?
In my specific case, I want to add s3:GetObject to a role for a Lambda.
Should I
create a new Role?
create a new Policy in an existing Role?
add a new statement to an existing Policy?
add a new Action to an existing Statement (using Resource:'*') ?
Looking for guidance as to when each of the above would apply...
I guess you can do any of the following, the only requirement being your policy document for that role must contain the statement
s3:GetObject
Related
I want to make an inline policy (i.e, one that exists only in the context of an IAM permission group) a managed one (i.e, one that exists globally). Is that possible? If so, how? (I would prefer AWS GUI solutions and not CLI ones)
It is not possible to convert an inline policy to a managed policy.
What you can do is:
Go to IAM - Groups
Choose the group whose policy you want
Go to Permissions tab
Select inline policy
Open it in JSON Viewer and copy the whole JSON
Go to Policies
Click on Create a Policy button and follow the steps. On the first page, switch from Visual editor to JSON and paste your policy
I believe you are looking for a "Customer managed policy", see more at
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies
You can create standalone policies that you administer in your own AWS account, which we refer to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
There is also a section specifically for Converting an inline policy to a managed policy
In an attempt to give an instance access to a specific folder in an s3 bucket, I've got this in a policy:
"Resource": "arn:aws:s3:::My_Bucket/db_backups/${aws:ResourceTag/Name}/*"
It doesn't work. Documentation for using tags like this is here: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
So perhaps what I'm trying to do is not possible.
But I'd rather not create a new role for each instance that needs access to a folder. Is there some other way I can pull this off?
You can use IAM policy elements: Variables and tags - AWS Identity and Access Management to write a single policy that applies to multiple IAM Users / IAM Roles.
As shown in that documentation, using a aws:userid variable will insert role-id:ec2-instance-id. Thus, the instances could be granted access to paths that match their role and instance, such as:
s3://bucketname/AROAU2DKSKXYQTOSDGTGX:i-abcd1234/*
The aws:ResourceTag is not defined for S3 resources. S3 only provides the tag as a policy variable when accessing objects and it is under the variable s3:ExistingObjectTag.
I had to do this for a recent engagement and one of things that made this difficult is that not all services supply their tags as a policy variable and those that do all use different names. The aws:ResourceTag variable is only provided if the resource you are accessing is KMS and a few other services.
Regardless, I'm not sure if your statement will work. What I think you actually want is to use aws:PrincipalTag/Name — i.e. "Resource": "arn:aws:s3:::My_Bucket/db_backups/${aws:PrincipalTag/Name}/*". This will embed the Name tag of the IAM principal — user or role — that is being used to access the resource.
As per AWS documentation,
A user who wants to access a role in a different account must also
have permissions that are delegated from the user account
administrator. The administrator must attach a policy that allows the
user to call AssumeRole for the ARN of the role in the other account.
I understand this requirement. However, I am not sure as to why an 'AssumeRole' action still need to be specified again in the 'Trust Relationship' of the role. It makes sense to allow/restrict a Principal (using 'AssumeRole' action) to assume a specific role and also the role being assumed to trust the assuming Principal (in its 'Trust Relationship'), but not sure why the role itself has to specify 'AssumeRole' action in its Trust relationship. The roles are always meant to be assumable - isnt it? Or alternately, what is the significance of specifying 'AssumeRole' action in the 'Trust relationship' of a role?
I'm not an AWS Roles expert, but as far as I know, the Trust Relationship Policy Document makes sense for two main reasons:
A role can be assumed not only with sts:AssumeRole action, but also with sts:AssumeRoleWithSAML and sts:AssumeRoleWithWebIdentity (docs here).
As the name "Trust Relationship Policy Document" says, it's also a policy document. So instead of creating a different template for Trust Relationship, AWS create a single policy template and uses it in all cases - this way we only need to learn the policy template once (docs here).
I want to add a dropdown for an existing IAM roles while creating a stack. The Parameter Type - AWS::IAM::Role gives only a text box to put the IAM role.I already have a role defined to create a stack and launch an instance. But how do I show the roles in the dropdown?
The snippets given in the documentation refer to the IAM policy creation and root user access.
Any suggestions for IAM Role drop down?
Not possible. CloudFOrmation supports only the following AWS-Specific Parameter Types: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html#aws-specific-parameter-types
Is it possible to allow a role to call PutRolePolicy to put an inline policy document, but only allow said policy document to create statements for specific actions?
For example, I'd like to allow a role to create and attach policies for resources where the action is ec2:Describe*, but I do NOT want that role to be able to delete the VPC.