Previous: Deployments, Next: KafkaUp: Cloud

IAM

Table of Contents

1 Users and Roles

An AWS account is first associated with one root user who has complete access over AWS services and accounts. It's best practice to create an IAM user using the root user and lock away the root user credentials.

1.0.1 IAM Users

An IAM User consists of a name, a password for accessing the AWS console and up to two access keys that can be used with the AWS API or CLI. It's granted permissions by either making it a member of a user group (recommended) or directly adding policies.

1.0.2 IAM Roles

An IAM Role is similar to an IAM user, but does not have any credentials associated with it. An IAM user can assume a role to temporarily take on permissions for a specific task.

1.0.3 IAM Policies

An IAM policy describes which entities can access particular resources. Many policies will exist by default in your account: https://us-east-1.console.aws.amazon.com/iamv2/home#/policies.

1.0.4 Principals

A principal is an individual or application which can make requests for an action on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity (a user or role) to make requests to AWS.

1.1 Examples

Here's a Cloudformation snippet which sets up an AWS::IAM::Role for use as the execution role of an AWS::ECS::TaskDefinition (ie the ExecutionRoleArn property):

ECSTaskExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - 'ecs-tasks.amazonaws.com'
          Action:
            - 'sts:AssumeRole'
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

The AssumeRolePolicyDocument property defines the trust policy assigned to the role, a special policy which specifies which entities can assume the role. Here we are setting the Principal to be Amazon ECS tasks (ie a service principal). Other values such as Principal: {AWS: arn:aws:sts::AWS-account-ID:role/role-name} could also be used here, the aforementioned would have the effect of allowing the role role-name to assume our new role.

Here's a similar snippet, but in terraform:

resource "aws_iam_role" "ecs_task_execution_role" {
  name = "ecs_task_execution_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
           Action = "sts:AssumeRole"
      },
    ]
  })

  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
}

For an AssumeRolePolicyDocument property, Action has to be sts:AssumeRole (since the property specifies which entities can assume the role [confirmation needed]), though for other IAM JSON policy elements, we could could use a different action, e.g. sqs:SendMessage.

For example, we could define different a different action in an inline policy present in the Policies property of AWS::IAM::Role.

Author: root

Created: 2024-03-23 Sat 11:44

Validate