brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4a90ad8bc0c4306e74b6e09116cffb6c4136a2f5
oam/knowledge base/cloud computing/aws/iam.md
Michele Cereda 4a90ad8bc0 chore(iam,ansible): assume role in ansible tasks
2024-08-14 18:22:13 +02:00

9.3 KiB
Raw Blame History

Identity and Access Management

Entity Description Notes
User Represents a human or a workload.
Defined by its name and credentials.		 No permissions by default, need to be assigned to it
Role Defines a set of permissions for making requests to AWS services.
Defines what actions can be performed on which resources.		 Can be assumed by AWS services, applications and users

To be able to assume roles:

  • Users, roles or services must have the permissions to assume the role they want to assume.
  • The role's trust relationship should allow the users, roles or services to assume it.

From Using service-linked roles:

A service role is an IAM role that a service assumes to perform actions on your behalf.
An IAM administrator can create, modify, and delete a service role from within IAM.

A service-linked role is a type of service role that is linked to an AWS service.
The service can assume the role to perform an action on your behalf.
Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

Check aws.permissions.cloud for a community-driven source of truth for AWS identity.

  1. IAM policies
  2. Assume Roles
    1. Require MFA for assuming Roles
  3. Further readings
    1. Sources

IAM policies

IAM does not expose policies' Sid element in the IAM API, so it can't be used to retrieve statements.

Examples:

Give a user temporary RO access to a bucket

  1. Create the policy:

    {
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowAttachedPrincipalsTemporaryROAccessToBucket",
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:GetObjectAttributes",
      "s3:ListBucket",
      "s3:ListBucketVersions"
    ],
    "Resource": [
      "arn:aws:s3:::my-bucket",
      "arn:aws:s3:::my-bucket/*"
    ],
    "Condition": {
      "DateLessThan": {
        "aws:CurrentTime": "2024-03-01T00:00:00Z"
      }
    }
  }]
}

    $ aws iam create-policy --output 'yaml' \
  --policy-name 'temp-ro-access-my-bucket' --policy-document 'file://policy.json'
- Policy:
    Arn: arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket
    AttachmentCount: 0
    CreateDate: '2024-02-25T09:34:12+00:00'
    DefaultVersionId: v1
    IsAttachable: true
    Path: /
    PermissionsBoundaryUsageCount: 0
    PolicyId: ANPA2HKHE74L11PTJGB3V
    PolicyName: temp-ro-access-my-bucket
    UpdateDate: '2024-02-25T09:34:12+00:00'

  2. Attach the newly created policy to the user:

    aws iam attach-user-policy \
  --user-name 'my-user' --policy-arn 'arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket'

Assume Roles

Refer Introduction to AWS IAM AssumeRole.

Users, Roles and Services can assume Roles as long as:

  1. The User, Role or Service that is trying to assume the end Role has assigned policies that would allow them to.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowMeToAssumeThoseRoles",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::012345678901:role/EksAdminRole",
                "arn:aws:iam::987654321098:role/EcsAuditorRole"
            ]
        }
    ]
}

  2. The end Role's Trust Relationships allow the entity in the point above to assume it.

    {
    "Version": "2012-10-17",
    "Statement": [
        ,
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                  "arn:aws:iam::012345678901:user/halJordan",
                  "arn:aws:sts::987654321098:role/OtherRole"
                  "arn:aws:sts::987654321098:assumed-role/EcsAuditorRole/specific-session-name"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Allowed entities can assume Roles using the STS AssumeRole API:

aws sts assume-role --output 'yaml' \
  --role-arn "arn:aws:iam::012345678901:role/EksAdminRole" \
  --role-session-name "lookAt-halJordan-sheIsThe-EksAdminRole-now"

AssumedRoleUser:
  Arn: arn:aws:sts::012345678901:assumed-role/EksAdminRole/AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
  AssumedRoleId: AROA2HKHF0123456789OA:AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
Credentials:
  AccessKeyId: ASIA2HKHF012345ABCDE
  Expiration: '2024-08-06T10:29:15+00:00'
  SecretAccessKey: C2SGbkwmfHWzf44DX6IQQirg5XCGwpLX0Ai++Qkq
  SessionToken: IQoJb3jPZ2luX2VjEAIaCWV1LXdlc3QtMSJHMEUCIQCGEihh9rBi1cL8ebhQVdcKl8Svzm5VCIC/ebCdxpORiA…

Require MFA for assuming Roles

Add the "Bool": {"aws:MultiFactorAuthPresent": true} condition to the Role's trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::012345678901:user/halJordan"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": true
            }
        }
    }]
}

When requiring MFA with AssumeRole, identities need to pass values for the SerialNumber and TokenCode parameters.
SerialNumbers identify the users' hardware or virtual MFA devices, TokenCodes are the time-based one-time password (TOTP) value that devices produce.

Further readings

Sources