oam/knowledge base/cloud computing/aws/iam.md

Identity and Access Management

Entity	Description	Notes
User	Represents a human or a workload. Defined by its name and credentials.	No permissions by default, need to be assigned to it
Role	Defines a set of permissions for making requests to AWS services. Defines what actions can be performed on which resources.	Can be assumed by AWS services, applications and users

To be able to assume roles:

• Users, roles or services must have the permissions to assume the role they want to assume.
• The role's trust relationship should allow the users, roles or services to assume it.

From Using service-linked roles:

A service role is an IAM role that a service assumes to perform actions on your behalf.
An IAM administrator can create, modify, and delete a service role from within IAM.

A service-linked role is a type of service role that is linked to an AWS service.
The service can assume the role to perform an action on your behalf.
Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

Check aws.permissions.cloud for a community-driven source of truth for AWS identity.

1. IAM policies
2. Assume Roles
   1. Require MFA for assuming Roles
3. Further readings
   1. Sources

IAM policies

IAM does not expose policies' Sid element in the IAM API, so it can't be used to retrieve statements.

Watch out for explicit Deny statements, as they could prevent users from do seemingly completely unrelated things - like accessing a Pulumi state file in a S3 bucket when an explicit Deny statement blocks IAM users from listing IAM Groups when they are not logged in with MFA.

Examples:

Give a user temporary RO access to a bucket

1. Create the policy:

   {
     "Version": "2012-10-17",
     "Statement": [{
       "Sid": "AllowAttachedPrincipalsTemporaryROAccessToBucket",
       "Effect": "Allow",
       "Action": [
         "s3:GetObject",
         "s3:GetObjectAttributes",
         "s3:ListBucket",
         "s3:ListBucketVersions"
       ],
       "Resource": [
         "arn:aws:s3:::my-bucket",
         "arn:aws:s3:::my-bucket/*"
       ],
       "Condition": {
         "DateLessThan": {
           "aws:CurrentTime": "2024-03-01T00:00:00Z"
         }
       }
     }]
   }
   

   $ aws iam create-policy --output 'yaml' \
     --policy-name 'temp-ro-access-my-bucket' --policy-document 'file://policy.json'
   - Policy:
       Arn: arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket
       AttachmentCount: 0
       CreateDate: '2024-02-25T09:34:12+00:00'
       DefaultVersionId: v1
       IsAttachable: true
       Path: /
       PermissionsBoundaryUsageCount: 0
       PolicyId: ANPA2HKHE74L11PTJGB3V
       PolicyName: temp-ro-access-my-bucket
       UpdateDate: '2024-02-25T09:34:12+00:00'
   

2. Attach the newly created policy to the user:

   aws iam attach-user-policy \
     --user-name 'my-user' --policy-arn 'arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket'
   

Assume Roles

Refer Introduction to AWS IAM AssumeRole.

Users, Roles and Services can assume Roles as long as:

1. The User, Role or Service that is trying to assume the end Role has assigned policies that would allow them to.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "AllowMeToAssumeThoseRoles",
               "Effect": "Allow",
               "Action": "sts:AssumeRole",
               "Resource": [
                   "arn:aws:iam::012345678901:role/EksAdminRole",
                   "arn:aws:iam::987654321098:role/EcsAuditorRole"
               ]
           }
       ]
   }
   

2. The end Role's Trust Relationships allow the entity in the point above to assume it.

   {
       "Version": "2012-10-17",
       "Statement": [
           …,
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": [
                     "arn:aws:iam::012345678901:user/halJordan",
                     "arn:aws:sts::987654321098:role/OtherRole"
                     "arn:aws:sts::987654321098:assumed-role/EcsAuditorRole/specific-session-name"
                   ]
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }
   

Allowed entities can assume Roles using the STS AssumeRole API:

aws sts assume-role --output 'yaml' \
  --role-arn "arn:aws:iam::012345678901:role/EksAdminRole" \
  --role-session-name "lookAt-halJordan-sheIsThe-EksAdminRole-now"

AssumedRoleUser:
  Arn: arn:aws:sts::012345678901:assumed-role/EksAdminRole/AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
  AssumedRoleId: AROA2HKHF0123456789OA:AIDA0123456789ABCDEFG-as-EksAdminRole-stsSession
Credentials:
  AccessKeyId: ASIA2HKHF012345ABCDE
  Expiration: '2024-08-06T10:29:15+00:00'
  SecretAccessKey: C2SGbkwmfHWzf44DX6IQQirg5XCGwpLX0Ai++Qkq
  SessionToken: IQoJb3jPZ2luX2VjEAIaCWV1LXdlc3QtMSJHMEUCIQCGEihh9rBi1cL8ebhQVdcKl8Svzm5VCIC/ebCdxpORiA…

Require MFA for assuming Roles

Refer Using AWS CLI Securely with IAM Roles and MFA.

Add the "Bool": {"aws:MultiFactorAuthPresent": true} condition to the Role's trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::012345678901:user/halJordan"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "Bool": {
                "aws:MultiFactorAuthPresent": true
            }
        }
    }]
}

When requiring MFA with AssumeRole, identities need to pass values for the SerialNumber and TokenCode parameters.
SerialNumbers identify the users' hardware or virtual MFA devices, TokenCodes are the time-based one-time password (TOTP) value that devices produce.

For CLI access, the user will need to add the mfa_serial setting to their profile:

[default]
…

[role-with-mfa]
source_profile = default
role_arn = arn:aws:iam::012345678901:role/EksAdminRole
mfa_serial = arn:aws:iam::012345678901:mfa/gopass

$ AWS_PROFILE='role-with-mfa' aws sts get-caller-identity --output 'yaml'
Enter MFA code for arn:aws:iam::012345678901:mfa/gopass:
Account: '012345678901'
Arn: arn:aws:sts::012345678901:assumed-role/EksAdminRole/botocore-session-1234567890
UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890

Further readings

• Amazon Web Services
• aws.permissions.cloud
• Using service-linked roles

Sources

• Introduction to AWS IAM AssumeRole
• IAM JSON policy elements: Principal
• IAM JSON policy elements: Sid
• Using IAM policy conditions for fine-grained access control to manage resource record sets
• Not authorized to perform: sts:AssumeRole
• Troubleshooting IAM roles
• How can I monitor the account activity of specific IAM users, roles, and AWS access keys?
• Using IAM roles
• AssumeRole api reference
• You might be clueless as to why AWS assume role isn't working, despite being correctly set up
• Use an IAM role in the AWS CLI
• Creating a role to delegate permissions to an IAM user
• How to use the PassRole permission with IAM roles
• Avoid the 60 minutes timeout when using the AWS CLI with IAM roles
• AWS IAM Roles - Everything You Need to Know & Examples
• Using AWS CLI Securely with IAM Roles and MFA