Chapter 5: IAM Policy

Since from Chapter 2, I’ve mentioned policy. What’s the best practice to attach policies and more. Now, we’ll discuss about Identity-based policy which is consist 2 categories: Managed policy and Inline policy.

Managed policy divided into 2 categories…


This content originally appeared on DEV Community and was authored by Nurul Ramadhona

Since from Chapter 2, I've mentioned policy. What's the best practice to attach policies and more. Now, we'll discuss about Identity-based policy which is consist 2 categories: Managed policy and Inline policy.

Managed policy divided into 2 categories: AWS managed policy and customer managed policy. AWS managed policy is what already available and customer managed policy is what we pull from the AWS one but we can make it custom based on what we need and push it as the new policy with the new name.

Inline policy is policy that you attach directly to an identity. It's 1:1 trust relationship. When you delete the user, the inline policy will go along with it. This is not the best practice but here I'm just gonna show you that we can do it with ansible.

For IAM Inline Policy, we use community.aws.iam_policy module.
For IAM Managed Policy, we use community.aws.iam_managed_policy module.

Inline Policy
Add variable to inventory:

      policy_new_inline:
        - { user: "{{ user6 }}", policy: IAMListUsers_Roles, template: "{{ lookup('template', 'inline_policy.json.j2') }}" }

Create json file:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

Task:

    - name: create inline policy
      community.aws.iam_policy:
        iam_type: user
        iam_name: "{{ item.user }}"
        policy_name: "{{ item.policy }}"
        state: present
        policy_json: "{{ item.template }}"
      loop: "{{ policy_new_inline }}"
      tags:
        - iam_policy_new_inline

Before we run the playbook, we need an IAM user to be used. I'll create one more along with access key. Here are the updated variable and the task:

      user_new:
#        - "{{ user1 }}"
#        - "{{ user2 }}"
#        - "{{ user3 }}"
#        - "{{ user4 }}"
        - "{{ user6 }}"
      user_key:
#        - { name: "{{ user1 }}" }
#        - { name: "{{ user2 }}" }
#        - { name: "{{ user3 }}" }
#        - { name: "{{ user4 }}" }
#        - { name: "{{ user5 }}" }
        - { name: "{{ user6 }}" }
$ ansible-playbook -i host.yml iam.yml -t iam_user_key

PLAY [iam] *********************************************************************

TASK [create user] *************************************************************
changed: [localhost] => (item=daffa)

TASK [create user's key] *******************************************************
changed: [localhost] => (item={'name': 'daffa'})

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_policy_new_inline

PLAY [iam] *********************************************************************

TASK [create inline policy] ****************************************************
changed: [localhost] => (item={'user': 'daffa', 'policy': 'IAMListUsers_Roles', 'template': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Action': ['iam:ListUsers', 'iam:ListRoles'], 'Resource': '*'}]}})

Check if the policy works:
(Please setup the new IAM user on the AWS CLI first).

$ aws iam list-users --profile daffa | grep UserName
            "UserName": "aira",
            "UserName": "beny",
            "UserName": "daffa",
            "UserName": "nurul",
            "UserName": "rahman",
            "UserName": "rama",

$ aws iam list-roles --profile daffa | grep RoleName
            "RoleName": "aws-ec2-spot-fleet-tagging-role",
            "RoleName": "AWSServiceRoleForAmazonElasticFileSystem",
            "RoleName": "AWSServiceRoleForSupport",
            "RoleName": "AWSServiceRoleForTrustedAdvisor",
            "RoleName": "EC2DemoRole",
            "RoleName": "IAM",
            "RoleName": "IAM_Policy",

$ aws iam list-groups --profile daffa

An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::0123456789:user/daffa is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::0123456789:group/

As we can see, user daffa only allowed to list users and roles as mentioned in the inline policy document.

Managed Policy
Add variable to inventory:

      policy_new_managed:
        - { name: IAMGetUser_Only, policy: "{{ lookup('template', 'managed_policy.json.j2') }}" }

Create json file:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:GetUser",
            "Resource": "*"
        }
    ]
}

Task:

    - name: create managed policy
      community.aws.iam_managed_policy:
        policy_name: "{{ item.name }}"
        policy: "{{ item.policy }}"
        state: present
      loop: "{{ policy_new_managed }}"
      tags:
        - iam_policy_new_managed

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_policy_new_managed

PLAY [iam] *********************************************************************

TASK [create managed policy] ***************************************************
changed: [localhost] => (item={'name': 'IAMGetUser_Only', 'policy': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Action': 'iam:GetUser', 'Resource': '*'}]}})

The task above only create a managed policy. To attach it to an IAM group and user, I'll use the same task as before. I just need to change some variables, should be look like this:

      group_new_members: 
#        - { name: "{{ group1 }}", members: ["{{ user1 }}","{{ user2 }}"] }
        - { name: "{{ group1 }}", members: "{{ user4 }}" }
      user_new_policy:
#        - { name: "{{ user5 }}", policy: arn:aws:iam::aws:policy/IAMFullAccess }
        - { name: "{{ user3 }}", policy: arn:aws:iam::0123456789:policy/IAMGetUser_Only } 
      group_new_policy:
#        - { name: "{{ group2 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess }
        - { name: "{{ group1 }}", policy: arn:aws:iam::0123456789:policy/IAMGetUser_Only }

Then, I'll run existing playbook with multiple tags.

$ ansible-playbook -i host.yml iam.yml -t "iam_user_new_policy, iam_group_new_policy, iam_group_new_members"

PLAY [iam] *********************************************************************

TASK [create group and add existing users as members] **************************
changed: [localhost] => (item={'name': 'developer', 'members': 'rahman'})

TASK [create a user and attach a managed policy] *******************************
changed: [localhost] => (item={'name': 'beny', 'policy': 'arn:aws:iam::0123456789:policy/IAMGetUser_Only'})

TASK [create group + attach managed policy] ************************************
changed: [localhost] => (item={'name': 'developer', 'policy': 'arn:aws:iam::0123456789:policy/IAMGetUser_Only'})

The task above does attach policy directly to user beny and to group developer and add user beny into it. So, the user beny and all developer group's members have same policy that's IAMGetUser_Only.
Check if the policy works:

$ aws iam get-user --user-name nurul --profile beny | grep UserName
        "UserName": "nurul",

$ aws iam get-user --user-name nurul --profile rahman | grep UserName
        "UserName": "nurul",

$ aws iam list-users --profile beny

An error occurred (AccessDenied) when calling the ListUsers operation: User: arn:aws:iam::0123456789:user/beny is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::0123456789:user/

$ aws iam list-users --profile rahman

An error occurred (AccessDenied) when calling the ListUsers operation: User: arn:aws:iam::0123456789:user/rahman is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::0123456789:user/

As we can see, the users can do get operation but not for list.

So, we already reached to the end of IAM section. In the next chapter, we'll delete all the things we just created from Chapter 2 to Chapter 5. It's optional but in case you need it, I'm gonna show you for it. Let's move to the last chapter of this series.


This content originally appeared on DEV Community and was authored by Nurul Ramadhona


Print Share Comment Cite Upload Translate Updates
APA

Nurul Ramadhona | Sciencx (2022-03-30T08:13:20+00:00) Chapter 5: IAM Policy. Retrieved from https://www.scien.cx/2022/03/30/chapter-5-iam-policy/

MLA
" » Chapter 5: IAM Policy." Nurul Ramadhona | Sciencx - Wednesday March 30, 2022, https://www.scien.cx/2022/03/30/chapter-5-iam-policy/
HARVARD
Nurul Ramadhona | Sciencx Wednesday March 30, 2022 » Chapter 5: IAM Policy., viewed ,<https://www.scien.cx/2022/03/30/chapter-5-iam-policy/>
VANCOUVER
Nurul Ramadhona | Sciencx - » Chapter 5: IAM Policy. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/03/30/chapter-5-iam-policy/
CHICAGO
" » Chapter 5: IAM Policy." Nurul Ramadhona | Sciencx - Accessed . https://www.scien.cx/2022/03/30/chapter-5-iam-policy/
IEEE
" » Chapter 5: IAM Policy." Nurul Ramadhona | Sciencx [Online]. Available: https://www.scien.cx/2022/03/30/chapter-5-iam-policy/. [Accessed: ]
rf:citation
» Chapter 5: IAM Policy | Nurul Ramadhona | Sciencx | https://www.scien.cx/2022/03/30/chapter-5-iam-policy/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.