AWS Security Operations: Difference between revisions
(109 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Internal= | =Internal= | ||
Line 29: | Line 24: | ||
Create a Security Group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-group | Create a Security Group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-group | ||
==Create a Security Group with CloudFormation== | |||
{{External|[https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html AWS::EC2::SecurityGroup]}} | |||
Resources: | |||
InternalALBSecurityGroup: | |||
Type: AWS::EC2::SecurityGroup | |||
Properties: | |||
GroupName: !Sub ${EnvironmentName}-alb-security-group | |||
VpcId: !Ref VpcID | |||
GroupDescription: | | |||
The security group protecting access to the environment ALB. Only the internal | |||
traffic is allowed | |||
SecurityGroupIngress: | |||
- IpProtocol: -1 | |||
CidrIp: 10.7.0.0/16 | |||
=List the Security Groups= | =List the Security Groups= | ||
Line 35: | Line 47: | ||
=IAM Operations= | =IAM Operations= | ||
==IAM Information== | |||
<syntaxhighlight lang='bash'> | |||
aws sts get-caller-identity | |||
</syntaxhighlight> | |||
The command returns details about the IAM user or role whose credentials are used to call: the User ID, the [[Amazon_AWS_Security_Concepts#AWS_Account|AWS Account]] and the [[Amazon_AWS_Security_Concepts#IAM_Identities|IAM identity]]. | |||
==AWS Account Operations== | |||
===List AWS Account Aliases=== | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-account-aliases | |||
</syntaxhighlight> | |||
==List IAM Users== | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-users | |||
</syntaxhighlight> | |||
==Get more Information about my IAM User== | |||
<syntaxhighlight lang='bash'> | |||
aws iam get-login-profile --user-name someuser | |||
{ | |||
"LoginProfile": { | |||
"UserName": "someuser", | |||
"CreateDate": "2017-07-31T22:32:53+00:00", | |||
"PasswordResetRequired": false | |||
} | |||
} | |||
</syntaxhighlight> | |||
<syntaxhighlight lang='bash'> | |||
aws iam get-account-summary | |||
</syntaxhighlight> | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-access-keys | |||
</syntaxhighlight> | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-groups-for-user --user-name someuser | |||
</syntaxhighlight> | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-ssh-public-keys | |||
</syntaxhighlight> | |||
==Create an IAM User== | ==Create an IAM User== | ||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#Using_CreateUser_console Creating an IAM User in Your AWS Account]}} | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_cliwpsapi Create an IAM User using the AWS CLI]}} | |||
Creating an [[Amazon_AWS_Security_Concepts#IAM_User|IAM user]]: | Creating an [[Amazon_AWS_Security_Concepts#IAM_User|IAM user]]: | ||
<syntaxhighlight lang='bash'> | |||
aws iam create-user --user-name test-user | |||
</syntaxhighlight> | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/ | ===Give the User Access to the AWS Management Console=== | ||
<syntaxhighlight lang='bash'> | |||
aws iam create-login-profile --user-name <username> --password <password> | |||
</syntaxhighlight> | |||
==Grant a User Permission to Switch Roles== | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html Granting a User Permissions to Switch Roles]}} | |||
==Create an IAM Group== | ==Create an IAM Group== | ||
Line 48: | Line 115: | ||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html Creating IAM Groups]}} | {{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_create.html Creating IAM Groups]}} | ||
== | ==IAM Role Operations== | ||
This section documents [[Amazon_AWS_Security_Concepts#IAM_Role|IAM Role]] operations. | |||
===Create an IAM Role=== | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html Creating IAM Role]}} | {{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html Creating IAM Role]}} | ||
===Create an ECS Task Role=== | An [[Amazon_AWS_Security_Concepts#IAM_Role|IAM role]] can be created in several ways: | ||
====From AWS Management Console==== | |||
Console → IAM → Roles → Create Role → AWS service → EKS → Select your use case → "EKS - Cluster" → Next: Permissions → Next: Tags → Create. | |||
====Create a Role to Delegate Permission to an IAM User==== | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html Creating a Role to Delegate Permissions to an IAM User]}} | |||
This pattern is appropriate when we need to allow multiple users access to a resource. Instead of configuring each user to access the resource, we create an IAM role authorized to access the resource, and we configure the role to be assumable by the users in question, by updating the role's trust policy to allow "AssumeRole" to select users, as described here: [[#Enable_an_IAM_User_to_Assume_an_IAM_Role|Enable an IAM User to Assume an IAM Role]]. | |||
Console → IAM → Roles → Create Role → Another AWS Account → Account ID: use the account ID in which this role will be used → Next: Permissions → Attach permission policies: none, this role will be only assumed → Add tags → Review → Choose a role name → Create the role → Trust relationship → Use JSON similar to the one described here: [[#Enable_an_IAM_User_to_Assume_an_IAM_Role|Enable an IAM User to Assume an IAM Role]]. | |||
=====With AWS CLI===== | |||
{{External|[https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html create-role]}} | |||
Creating an IAM role with CLI is a two-step operation: creating the role and the associated trust policy, then associating the permission policy. | |||
This how the role is created: | |||
<syntaxhighlight lang='bash'> | |||
aws iam create-role \ | |||
--role-name test-role \ | |||
--assume-role-policy-document file://trust-policy-file.json | |||
</syntaxhighlight> | |||
<code>--assume-role-policy-document</code> specifies the [[Amazon_AWS_Security_Concepts#Trust_Policy|trust policy document]] that grants an entity permission to assume the role. The user executing the command must have the "[[Amazon AWS Security Concepts#CreateRole|iam:CreateRole]]" permission. | |||
This is how a permission policy is attached: | |||
<syntaxhighlight lang='bash'> | |||
aws iam attach-role-policy \ | |||
--role-name test-role \ | |||
--policy-arn "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess" | |||
</syntaxhighlight> | |||
The permission policy can be created as described [[#Create_an_IAM_Policy_with_AWS_CLI|here]]. | |||
=====With Terraform===== | |||
{{Internal|Terraform_AWS_Operations#Create_a_Role.2C_Permission_Policy_and_Instance_Profile|Create an IAM Role with Terraform}} | |||
====Create an ECS Task Role==== | |||
This is the procedure to create an [[Amazon_ECS_Operations#Create_a_Task_Definition|ECS task definition]] task role. | This is the procedure to create an [[Amazon_ECS_Operations#Create_a_Task_Definition|ECS task definition]] task role. | ||
Line 92: | Line 201: | ||
Create Role. | Create Role. | ||
===Create an ECS Task Execution Role=== | ====Create an ECS Task Execution Role==== | ||
This is the procedure to create an [[Amazon_ECS_Operations#Create_a_Task_Definition|ECS task definition]] task execution role. | This is the procedure to create an [[Amazon_ECS_Operations#Create_a_Task_Definition|ECS task definition]] task execution role. | ||
Line 128: | Line 237: | ||
Create Role. | Create Role. | ||
===Create an API Gateway Role to Allow Pushing Logs to CloudWatch=== | ====Create an API Gateway Role to Allow Pushing Logs to CloudWatch==== | ||
IAM Console -> Roles -> Create Role -> Trusted Entity: AWS Service -> API Gateway -> Use case: API Gateway Allows API Gateway to push logs to CloudWatch Logs -> Next Permissions: "AmazonAPIGatewayPushToCloudWatchLogs" policy. | IAM Console -> Roles -> Create Role -> Trusted Entity: AWS Service -> API Gateway -> Use case: API Gateway Allows API Gateway to push logs to CloudWatch Logs -> Next Permissions: "AmazonAPIGatewayPushToCloudWatchLogs" policy. | ||
====Create an EC2 Service Role==== | |||
This procedure can be used to create an [[Amazon_AWS_Security_Concepts#AWS_Service_Role_for_an_EC2_Instance|EC2 service role]]. | |||
IAM Console → Create Role | |||
Select type of trusted entity: "AWS service" | |||
Choose the service that will use this role: "EC2" | |||
Select your use case: "EC2: Allows EC2 instances to call AWS services on your behalf." | |||
Next: Permissions | |||
Select: <font color=darkgray>AmazonEC2FullAccess</font> | |||
Set permissions boundary: Create role without permissions boundary | |||
Next: Tags | |||
Next: Review | |||
Role name: blue-ec2-service-role | |||
Description: Allows EC2 instances to call AWS services on user behalf. | |||
Trusted entities: AWS service: ec2.amazonaws.com | |||
Policies: AmazonEC2FullAccess | |||
Permissions boundary: Permissions boundary is not set | |||
Create Role. | |||
====Permission Policy Operations==== | |||
Create a permission policy: | |||
Create a policy file similar to: | |||
<syntaxhighlight lang='json'> | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Effect": "Allow", | |||
"Action": ["iam:CreateRole"], | |||
"Resource": ["*"] | |||
} | |||
] | |||
} | |||
</syntaxhighlight> | |||
Create the policy: | |||
aws iam create-policy --policy-name infra-allow-iam-operations-to-workers --policy-document file://infra-allow-iam-operations-to-workers.json | |||
Keep the ARN, you will need it in subsequent operations. | |||
===<span id='List_All_Roles'></span>List IAM Roles=== | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-roles | |||
</syntaxhighlight> | |||
List a specific role: | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-roles --query "Roles[?RoleName == 'example-role'].[RoleName, Arn]" | |||
</syntaxhighlight> | |||
The command returns something similar to: | |||
<syntaxhighlight lang='text'> | |||
[ | |||
[ | |||
"example-role", | |||
"arn:aws:iam::999999999999:role/example-role" | |||
] | |||
]</syntaxhighlight> | |||
===Get Details about a Specific Role=== | |||
This command returns general information about a node, such as name, id, session duration, etc. | |||
aws iam get-role --role-name infra-ec2-service | |||
<span id='List_Role_Policies'></span>For permission policies, use: | |||
aws iam list-role-policies --role-name infra-ec2-service | |||
===<span id='Switching_to_an_IAM_Role'></span>Assuming an IAM Role=== | |||
====Assuming an IAM Role using CLI==== | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html Switching to an IAM Role (AWS CLI)]}} | |||
<syntaxhighlight lang='bash'> | |||
aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/example-role" --role-session-name example-role-session | |||
</syntaxhighlight> | |||
The output of the operation is similar to: | |||
<syntaxhighlight lang='text'> | |||
{ | |||
"Credentials": { | |||
"AccessKeyId": "ASXXXXXXXXXXXXXXXXXX", | |||
"SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", | |||
"SessionToken": "yyyy...yyyy==", | |||
"Expiration": "2020-06-11T20:44:12Z" | |||
}, | |||
"AssumedRoleUser": { | |||
"AssumedRoleId": "AROXXXXXXXXXXXXXXXXXX:example-role", | |||
"Arn": "arn:aws:sts::999999999999:assumed-role/example-role/example-role-session" | |||
} | |||
} | |||
</syntaxhighlight> | |||
This command can also be used as a test whether a specific role can be assumed or not - if a role cannot be assumed, the output is similar to: <font color=darkgray>TODO - I am assuming the command fails in some obvious way.</font> | |||
This command does not actually change anything in the local environment, in order to use the new identity, the AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN must be setup in the environment. | |||
<syntaxhighlight lang='text'> | |||
export AWS_ACCESS_KEY_ID="ASXXXXXXXXXXXXXXXXXX" | |||
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | |||
export AWS_SESSION_TOKEN="yyyy...yyyy==" | |||
</syntaxhighlight> | |||
To verify that these changes take, run: | |||
<syntaxhighlight lang='bash'> | |||
aws sts get-caller-identity | |||
</syntaxhighlight> | |||
You should get something similar to: | |||
<syntaxhighlight lang='text'> | |||
{ | |||
"UserId": "AROXXXXXXXXXXXXXXXXXX:example-role-session", | |||
"Account": "999999999999", | |||
"Arn": "arn:aws:sts::999999999999:assumed-role/example-role/example-role-session" | |||
} | |||
</syntaxhighlight> | |||
===Trust Policy Operations=== | |||
This section document [[Amazon_AWS_Security_Concepts#Trust_Policy|trust policy]] operations. | |||
====Edit in Console==== | |||
Select the Role → Summary → Trust Relationship → Edit trust relationship. | |||
====Create a Trust Policy==== | |||
Create a JSON file that describes the [[Amazon_AWS_Security_Concepts#Trust_Policy|trust policy]]. An example of JSON trust policy is available [[Amazon_AWS_Security_Concepts#Trust_Policy_Example|here]]. | |||
====Enable an IAM User to Assume an IAM Role==== | |||
Enabling a IAM User to assume a role implies updating Role's [[Amazon_AWS_Security_Concepts#Trust_Policy|trust policy]] and adding the user. Navigate to the role in the AWS console, go to "Trust relationships", "Edit trust relationship" and edit JSON as follows, adding the IAM User ARN: | |||
<syntaxhighlight lang='json'> | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Effect": "Allow", | |||
"Principal": { | |||
"AWS": [ | |||
"arn:aws:iam::999999999999:user/some.user", | |||
"arn:aws:iam::999999999999:user/some.otheruser" | |||
], | |||
"Service": "eks.amazonaws.com" | |||
}, | |||
"Action": "sts:AssumeRole" | |||
} | |||
] | |||
} | |||
</syntaxhighlight> | |||
==Managing IAM Policies== | ==Managing IAM Policies== | ||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html#attach-managed-policy-console Managing IAM Policies]}} | {{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html#attach-managed-policy-console Managing IAM Policies]}} | ||
This section documents various [[Amazon_AWS_Security_Concepts#IAM_Policy|IAM Policy]] operations. | |||
===Create an IAM Policy=== | ===Create an IAM Policy=== | ||
Creating | {{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html Creating IAM Policies]}} | ||
An [[Amazon_AWS_Security_Concepts#IAM_Policy|IAM Policy]] can be created in several ways: at the console, with AWS CLI, with CloudFormation, with Terraform. | |||
====Create an IAM Policy with AWS Console==== | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start Creating IAM Policies (Console)]}} | |||
====Create an IAM Policy with AWS CLI==== | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#create-policies-cli-api Creating IAM Policies (AWS CLI)]}} | |||
{{External|[https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html create-policy]}} | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html Example IAM Identity-Based Policies]}} | |||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html IAM JSON Policy Reference]}} | |||
<syntaxhighlight lang='bash'> | |||
aws iam create-policy \ | |||
--policy-name infra-playground-kubernetes-master \ | |||
--policy-document file://kubernetes-master-policy.json \ | |||
--description "Kubernetes master node policy" | |||
</syntaxhighlight> | |||
where the JSON file contains a declaration similar to the one available as [[Amazon_AWS_Security_Concepts#Customer_Managed_Policy_Example|example]]. | |||
The identity executing the command must have the "[[Amazon AWS Security Concepts#CreatePolicy|iam:CreatePolicy]]" permission. | |||
{{ | ====Create an IAM Policy with CloudFormation==== | ||
====Create an IAM Policy with Terraform==== | |||
{{Internal|Terraform_AWS_Operations#Create_a_Role.2C_Permission_Policy_and_Instance_Profile|Create an IAM Role with Terraform}} | |||
===Edit an IAM Policy=== | ===Edit an IAM Policy=== | ||
{{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html Editing IAM Policies]}} | {{External|[https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html Editing IAM Policies]}} | ||
===Attaching a Policy to an IAM User=== | |||
<syntaxhighlight lang='bash'> | |||
aws iam attach-user-policy \ | |||
--user-name test-iam-user \ | |||
--policy-arn "arn:aws:iam::999999999999:policy/test-policy" | |||
</syntaxhighlight> | |||
===Listing Attached Policies to an IAM Role=== | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-attached-role-policies --role-name example-iam-role | |||
</syntaxhighlight> | |||
===Listing Attached Policies to an IAM User=== | |||
<syntaxhighlight lang='bash'> | |||
aws iam list-attached-user-policies --user-name exmple-iam-user | |||
</syntaxhighlight> | |||
=Removing Roles, Policies and Instance Profiles= | |||
<syntaxhighlight lang='bash'> | |||
aws iam remove-role-from-instance-profile --instance-profile-name infra-jenkins-run-kubernetes-master-profile --role-name infra-jenkins-run-kubernetes-master | |||
aws iam remove-role-from-instance-profile --instance-profile-name infra-jenkins-run-kubernetes-worker-profile --role-name infra-jenkins-run-kubernetes-worker | |||
aws iam list-role-policies --role-name infra-jenkins-run-kubernetes-master | |||
aws iam delete-role-policy --role-name infra-jenkins-run-kubernetes-master --policy-name infra-jenkins-run-kubernetes-master | |||
aws iam delete-role-policy --role-name infra-jenkins-run-kubernetes-worker --policy-name infra-jenkins-run-kubernetes-worker | |||
aws iam delete-role --role-name infra-jenkins-run-kubernetes-master | |||
aws iam delete-role --role-name infra-jenkins-run-kubernetes-worker | |||
</syntaxhighlight> | |||
=Decode Authorization Error Message= | |||
<syntaxhighlight lang='bash'> | |||
aws sts decode-authorization-message --encoded-message "..." | |||
</syntaxhighlight> | |||
=Organizatorium= | |||
==Grant an AWS Account Permissions on a S3 Bucket== | |||
{{Internal|Amazon_S3_Operations#Grant_an_AWS_Account_Permissions_on_a_Bucket|Grant an AWS Account Permissions on a S3 Bucket}} |
Latest revision as of 23:36, 2 February 2021
Internal
Setting AWS Credentials
Create a Key Pair
Amazon AWS instance access key pairs are explained here.
External reference for the procedures to create (or import) a key pair: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-key-pair
This procedure describes how to create the em provisioning key pair:
Go to the EC2 console https://us-west-2.console.aws.amazon.com/ec2/v2/home.
Left tab -> Network and Security -> Key Pairs -> Create Key Pair
The key is created and the file containing the private key is automatically downloaded by your browser. The base file name is the name you specified as the name of your key pair, and the file name extension is .pem. Save the private key file in a safe place.
Create a Security Group
Create a Security Group http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/get-set-up-for-amazon-ec2.html#create-a-base-security-group
Create a Security Group with CloudFormation
Resources: InternalALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${EnvironmentName}-alb-security-group VpcId: !Ref VpcID GroupDescription: | The security group protecting access to the environment ALB. Only the internal traffic is allowed SecurityGroupIngress: - IpProtocol: -1 CidrIp: 10.7.0.0/16
List the Security Groups
EC2 Console -> Resources -> Security Groups.
IAM Operations
IAM Information
aws sts get-caller-identity
The command returns details about the IAM user or role whose credentials are used to call: the User ID, the AWS Account and the IAM identity.
AWS Account Operations
List AWS Account Aliases
aws iam list-account-aliases
List IAM Users
aws iam list-users
Get more Information about my IAM User
aws iam get-login-profile --user-name someuser
{
"LoginProfile": {
"UserName": "someuser",
"CreateDate": "2017-07-31T22:32:53+00:00",
"PasswordResetRequired": false
}
}
aws iam get-account-summary
aws iam list-access-keys
aws iam list-groups-for-user --user-name someuser
aws iam list-ssh-public-keys
Create an IAM User
Creating an IAM user:
aws iam create-user --user-name test-user
Give the User Access to the AWS Management Console
aws iam create-login-profile --user-name <username> --password <password>
Grant a User Permission to Switch Roles
Create an IAM Group
Creating an IAM group:
IAM Role Operations
This section documents IAM Role operations.
Create an IAM Role
An IAM role can be created in several ways:
From AWS Management Console
Console → IAM → Roles → Create Role → AWS service → EKS → Select your use case → "EKS - Cluster" → Next: Permissions → Next: Tags → Create.
Create a Role to Delegate Permission to an IAM User
This pattern is appropriate when we need to allow multiple users access to a resource. Instead of configuring each user to access the resource, we create an IAM role authorized to access the resource, and we configure the role to be assumable by the users in question, by updating the role's trust policy to allow "AssumeRole" to select users, as described here: Enable an IAM User to Assume an IAM Role.
Console → IAM → Roles → Create Role → Another AWS Account → Account ID: use the account ID in which this role will be used → Next: Permissions → Attach permission policies: none, this role will be only assumed → Add tags → Review → Choose a role name → Create the role → Trust relationship → Use JSON similar to the one described here: Enable an IAM User to Assume an IAM Role.
With AWS CLI
Creating an IAM role with CLI is a two-step operation: creating the role and the associated trust policy, then associating the permission policy.
This how the role is created:
aws iam create-role \
--role-name test-role \
--assume-role-policy-document file://trust-policy-file.json
--assume-role-policy-document
specifies the trust policy document that grants an entity permission to assume the role. The user executing the command must have the "iam:CreateRole" permission.
This is how a permission policy is attached:
aws iam attach-role-policy \
--role-name test-role \
--policy-arn "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
The permission policy can be created as described here.
With Terraform
Create an ECS Task Role
This is the procedure to create an ECS task definition task role.
IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role
Select type of trusted entity: "AWS service"
Choose the service that will use this role: "Elastic Container Service"
Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."
Next: Permissions
Select: AmazonECS_FullAccess ("Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks").
The role cannot be created with only AmazonECSServiceRolePolicy.
Set permissions boundary: Create role without permissions boundary
Next: Tags
Next: Review
Role name: playground-task-role
Description: A generic task role. Allows ECS tasks to call AWS services on the IAM user behalf.
Trusted entities: AWS service: ecs-tasks.amazonaws.com
Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task Role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"
Policies: AmazonECS_FullAccess
Permissions boundary: Permissions boundary is not set
Create Role.
Create an ECS Task Execution Role
This is the procedure to create an ECS task definition task execution role.
IAM Console: https://us-west-2.console.aws.amazon.com/iam/home#roles -> Create Role
Select type of trusted entity: "AWS service"
Choose the service that will use this role: "Elastic Container Service"
Select your use case: "Elastic Container Service Task: Allows ECS tasks to call AWS services on your behalf."
Next: Permissions
Select: AmazonECSTaskExecutionRolePolicy ("Provides access to other AWS service resources that are required to run Amazon ECS tasks")
Set permissions boundary: Create role without permissions boundary
Next: Tags
Next: Review
Role name: playground-task-execution-role
Description: A generic task execution role.
Trusted entities: AWS service: ecs-tasks.amazonaws.com
Only roles that have "ecs-tasks.amazonaws.com" as Trusted entity are shown in the Task execution role drop-down on Task Definition creation, so make sure that "Trusted entities" contains "AWS service: ecs-tasks.amazonaws.com"
Policies: AmazonECSTaskExecutionRolePolicy
Permissions boundary: Permissions boundary is not set
Create Role.
Create an API Gateway Role to Allow Pushing Logs to CloudWatch
IAM Console -> Roles -> Create Role -> Trusted Entity: AWS Service -> API Gateway -> Use case: API Gateway Allows API Gateway to push logs to CloudWatch Logs -> Next Permissions: "AmazonAPIGatewayPushToCloudWatchLogs" policy.
Create an EC2 Service Role
This procedure can be used to create an EC2 service role.
IAM Console → Create Role
Select type of trusted entity: "AWS service"
Choose the service that will use this role: "EC2"
Select your use case: "EC2: Allows EC2 instances to call AWS services on your behalf."
Next: Permissions
Select: AmazonEC2FullAccess
Set permissions boundary: Create role without permissions boundary
Next: Tags
Next: Review
Role name: blue-ec2-service-role
Description: Allows EC2 instances to call AWS services on user behalf.
Trusted entities: AWS service: ec2.amazonaws.com
Policies: AmazonEC2FullAccess
Permissions boundary: Permissions boundary is not set
Create Role.
Permission Policy Operations
Create a permission policy:
Create a policy file similar to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:CreateRole"],
"Resource": ["*"]
}
]
}
Create the policy:
aws iam create-policy --policy-name infra-allow-iam-operations-to-workers --policy-document file://infra-allow-iam-operations-to-workers.json
Keep the ARN, you will need it in subsequent operations.
List IAM Roles
aws iam list-roles
List a specific role:
aws iam list-roles --query "Roles[?RoleName == 'example-role'].[RoleName, Arn]"
The command returns something similar to:
[
[
"example-role",
"arn:aws:iam::999999999999:role/example-role"
]
]
Get Details about a Specific Role
This command returns general information about a node, such as name, id, session duration, etc.
aws iam get-role --role-name infra-ec2-service
For permission policies, use:
aws iam list-role-policies --role-name infra-ec2-service
Assuming an IAM Role
Assuming an IAM Role using CLI
aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/example-role" --role-session-name example-role-session
The output of the operation is similar to:
{
"Credentials": {
"AccessKeyId": "ASXXXXXXXXXXXXXXXXXX",
"SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"SessionToken": "yyyy...yyyy==",
"Expiration": "2020-06-11T20:44:12Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROXXXXXXXXXXXXXXXXXX:example-role",
"Arn": "arn:aws:sts::999999999999:assumed-role/example-role/example-role-session"
}
}
This command can also be used as a test whether a specific role can be assumed or not - if a role cannot be assumed, the output is similar to: TODO - I am assuming the command fails in some obvious way.
This command does not actually change anything in the local environment, in order to use the new identity, the AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN must be setup in the environment.
export AWS_ACCESS_KEY_ID="ASXXXXXXXXXXXXXXXXXX"
export AWS_SECRET_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
export AWS_SESSION_TOKEN="yyyy...yyyy=="
To verify that these changes take, run:
aws sts get-caller-identity
You should get something similar to:
{
"UserId": "AROXXXXXXXXXXXXXXXXXX:example-role-session",
"Account": "999999999999",
"Arn": "arn:aws:sts::999999999999:assumed-role/example-role/example-role-session"
}
Trust Policy Operations
This section document trust policy operations.
Edit in Console
Select the Role → Summary → Trust Relationship → Edit trust relationship.
Create a Trust Policy
Create a JSON file that describes the trust policy. An example of JSON trust policy is available here.
Enable an IAM User to Assume an IAM Role
Enabling a IAM User to assume a role implies updating Role's trust policy and adding the user. Navigate to the role in the AWS console, go to "Trust relationships", "Edit trust relationship" and edit JSON as follows, adding the IAM User ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::999999999999:user/some.user",
"arn:aws:iam::999999999999:user/some.otheruser"
],
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Managing IAM Policies
This section documents various IAM Policy operations.
Create an IAM Policy
An IAM Policy can be created in several ways: at the console, with AWS CLI, with CloudFormation, with Terraform.
Create an IAM Policy with AWS Console
Create an IAM Policy with AWS CLI
aws iam create-policy \
--policy-name infra-playground-kubernetes-master \
--policy-document file://kubernetes-master-policy.json \
--description "Kubernetes master node policy"
where the JSON file contains a declaration similar to the one available as example.
The identity executing the command must have the "iam:CreatePolicy" permission.
Create an IAM Policy with CloudFormation
Create an IAM Policy with Terraform
Edit an IAM Policy
Attaching a Policy to an IAM User
aws iam attach-user-policy \
--user-name test-iam-user \
--policy-arn "arn:aws:iam::999999999999:policy/test-policy"
Listing Attached Policies to an IAM Role
aws iam list-attached-role-policies --role-name example-iam-role
Listing Attached Policies to an IAM User
aws iam list-attached-user-policies --user-name exmple-iam-user
Removing Roles, Policies and Instance Profiles
aws iam remove-role-from-instance-profile --instance-profile-name infra-jenkins-run-kubernetes-master-profile --role-name infra-jenkins-run-kubernetes-master
aws iam remove-role-from-instance-profile --instance-profile-name infra-jenkins-run-kubernetes-worker-profile --role-name infra-jenkins-run-kubernetes-worker
aws iam list-role-policies --role-name infra-jenkins-run-kubernetes-master
aws iam delete-role-policy --role-name infra-jenkins-run-kubernetes-master --policy-name infra-jenkins-run-kubernetes-master
aws iam delete-role-policy --role-name infra-jenkins-run-kubernetes-worker --policy-name infra-jenkins-run-kubernetes-worker
aws iam delete-role --role-name infra-jenkins-run-kubernetes-master
aws iam delete-role --role-name infra-jenkins-run-kubernetes-worker
Decode Authorization Error Message
aws sts decode-authorization-message --encoded-message "..."