IAM
Table of Contents
1 Users and Roles
An AWS account is first associated with one root user who has complete access over AWS services and accounts. It's best practice to create an IAM user using the root user and lock away the root user credentials.
1.0.1 IAM Users
An IAM User consists of a name, a password for accessing the AWS console and up to two access keys that can be used with the AWS API or CLI. It's granted permissions by either making it a member of a user group (recommended) or directly adding policies.
1.0.2 IAM Roles
An IAM Role is similar to an IAM user, but does not have any credentials associated with it. An IAM user can assume a role to temporarily take on permissions for a specific task.
1.0.3 IAM Policies
An IAM policy describes which entities can access particular resources. Many policies will exist by default in your account: https://us-east-1.console.aws.amazon.com/iamv2/home#/policies.
1.0.4 Principals
A principal is an individual or application which can make requests for an action on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity (a user or role) to make requests to AWS.
1.1 Examples
Here's a Cloudformation snippet which sets up an AWS::IAM::Role
for use as the execution role of an AWS::ECS::TaskDefinition
(ie the ExecutionRoleArn
property):
ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - 'ecs-tasks.amazonaws.com' Action: - 'sts:AssumeRole' ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
The AssumeRolePolicyDocument
property defines the trust policy assigned to the role, a special policy which specifies which entities can assume the role. Here we are setting the Principal
to be Amazon ECS tasks (ie a service principal). Other values such as Principal: {AWS: arn:aws:sts::AWS-account-ID:role/role-name}
could also be used here, the aforementioned would have the effect of allowing the role role-name
to assume our new role.
Here's a similar snippet, but in terraform:
resource "aws_iam_role" "ecs_task_execution_role" { name = "ecs_task_execution_role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { Service = "ecs-tasks.amazonaws.com" } Action = "sts:AssumeRole" }, ] }) managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"] }
For an AssumeRolePolicyDocument
property, Action
has to be sts:AssumeRole
(since the property specifies which entities can assume the role [confirmation needed]), though for other IAM JSON policy elements, we could could use a different action, e.g. sqs:SendMessage
.
For example, we could define different a different action in an inline policy present in the Policies
property of AWS::IAM::Role
.