Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.
I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).
As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.
I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.
The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.
You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.
Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources.
If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.
connect-on-premise-python-application-with-aws
The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.
Consider placing API Gateway in front of your Python app's routes.
Then you could control access using IAM.
Related
My requirement is to access some AWS APIs from a mobile application(Written in flutter). Currently how I have done it is by creating an IAM user with only the permissions required and using the access credentials of that user I sign my APIs.
What I am looking to do is instead of storing these credentials with in my app. Is there a way to use some sort of sign in mechanism to obtain some credentials and use those for signing my APIs?
Update 1:
To add more context. This is purely a hobby project and mostly for personal use. And for my use case storing credentials with in application is more than enough. Anyway I have intention to publish it as an open source project and I want to add a better way to handle this. Currently am not storing any credential in my code but am adding it as a an ENV during build process.
I think I would be able to handle this if I create my own backend to generate temporary credentials. But if there is some other standard solution out there I would like to utilize that.
Storing credentials in an application is an antipattern, and AWS provides features that prevent the need for you to do so.
Two alternatives off the top of my head.
The most obvious of these is AWS IAM Instance Profiles. These permit you to bind IAM permissions to an EC2. Any application or service on this ec2 is then permitted to perform the actions permitted by the IAM profile bound to the Instance Profile.
If you are running your application in EKS, you can leverage IRSA to bind IAM permissions to a service-account in the EKS cluster.
I assume you're running your service on EC2, and that therefore the InstanceProfile approach is easiest.
I basically want them to have access to create/modify anything that they create, but not really able to modify/delete existing resources.
Or in some other way put them in their own bubble.
I actually got AWS certified associate in architecture, so should have some idea of whatever you say. I forgot most of what I learned for the test.
For now I made them a PowerUser.
Thanks!
Currently, there is no elegant solution for this in a shared AWS account. If you need this level of separation, creating a sub-account is the way to achieve this.
but not really able to modify/delete existing resources.
You can use resource and/or identity tags and then allow or deny actions based on tags. E. g. you can deny any action for tags env=production. See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
You can create simple or more complex Tag Policies to enforce consistent resource tagging.
And there is a way to enforce the owner identity in a tag, so you can allocate costs. (just search the inet for it if you want)
Or in some other way put them in their own bubble.
To keep it simple the development is usually done on a separate (organizational) account and the developers shoup deliver a deployment script/procedure to deploy the resources to other stages (cloudformation, terraform,..) .
. i started by granting PowerUser. then SystemAdministrator
This is something... the developers should not need. If so, you could implement an SCP (Service control policies) to limit even the admin users (deny disabling the cloudtrail, access to sensitive kms, modify roles with certain tags,.. .)
I work on the project that is entirely stored and run on AWS. I need to add a few software consultants to my AWS CodeCommit. All I want them to do is to be able to work on a few repositories at that's it. I don't even want to give them power to create/delete repositories.
What is the best strategy to create such users, only for CodeCommit, so I don't give them too much power?
Should I create a group for them?
Thanks for help
EDIT: When creating the user It looks like I have to pick between "Programmatic access" and "AWS Management Console access" - both sounds powerful
Granting programatic and/or console access isn't really saying a whole lot. Neither of those things give a user the ability to do much of anything. The key is in the permissions you grant them. In your case you should set up a group for these people and grant permissions to the group. If the users will only be using CodeCommit via git then you can make their permissions pretty limited. You may want to grant them console access to manage their own keys, but that would be about it. Here are some resources that will help you understand the permissions to grant.
CodeCommit Permissions
Using IAM with CodeCommit: Git Credentials, SSH Keys, and AWS Access Keys
I work as a contractor for a large enterprise company and I was assigned to a new project recently for which we need to request resources on AWS. For our project we will need access to EC2 and RDS.
I am not very familiar with AWS, so my question is: will it be possible to get access to AWS Web Console for our team with limited services (access only to EC2 and RDS in our case)? How much work is needed to provide such access (to set up IAM etc)?
I am a bit concerned that I will not get access to AWS Web Console, because I was asked if I needed a sudo user for a VM. It was frustrating for me to hear such question, because I will need several VMs rather than one.
By default, IAM Users have no access to services. In such a situation, they can access the AWS management console, but there will be many error messages about not having access to information, nor the ability to perform actions.
Once an IAM User is granted the necessary permissions, the console will start working better for them. However, it an be difficult to determine exactly which permissions they require to fully use the console. For example, to use the EC2 console, the user would require ec2:DescribeInstances, which allows them to view details about all EC2 instances. This might not be desirable in your situation, since they might not want these users to see such a list.
Then comes the ability to perform actions on services, such as launching an EC2 instance. This requires the ec2:RunInstances permission, but also other related permissions to gain access to security groups, roles and networking configuration.
Bottom line: Yes, you will be able to access the AWS management console. However, your ability to view or do things will be limited by the permissions you are provided.
I am in the early stages of writing an AWS app for our users that will run our research algorithms using their AWS resources. For example, our code will need to spin up EC2 instances running our 'worker' app, access RDS databases, and create access SQS queues. The AWS Java SDK examples (we are writing this in Java) use a AwsCredentials.properties file to store the Access Key ID and Secret Access Key, which is fine for examples, but obviously not acceptable for our users, who are would be in essence giving us access to all their resources. What is a clean way to go about running our system on their behalf? I discovered AWS Identity and Access Management (IAM) which seems to be for this purpose (I haven't got my head around it yet), esp. Cross-account access between AWS accounts. This post makes it sound straightforward:
Use the amazon IAM service to create a set of keys that only has
permission to perform the tasks that you require for your script.
http://aws.amazon.com/iam/
However, other posts (e.g., Within IAM, can I restrict a group of users to access/launch/terminate only certain EC2 AMIs or instances?) suggest there are limitations to using IAM with EC2 in particular.
Any advice would be really helpful!
The key limitation with regards to RDS and EC2 is that while you can restrict access to certain API actions there are no resource level constraints. For example with an IAM S3 policy you can restrict a user to only being able to perform certain actions on certain buckets. You can write a policy for EC2 that says that user is allowed to stop instances, but not one that says you can only stop certain instances.
Another option is for them to provide you with temporary credentials via the Security Token Service. Another variant on that is to use the new IAM roles service. With this an instance has a set of policies associated with it. You don't need to provide an AwsCredentials.proprties file because the SDK can fetch credentials from the metadata service.
Finally one last option might be consolidated billing. If the reason you are using their AWS resources is just because of the billing, then setup a new account which is billed from their account. The accounts are isolated from each other so you can't for example delete their instances by accident. Equally you can't access their RDS snapshots and things like that (access to an RDS instance via mysql (as opposed to the AWS api) would depend on the instance's security group). You can of course combine this with the previous options - they could provide you with credentials that only allow you to perform certain actions within that isolated account.