IAM Roles¶
IAM is amazon’s access management service. You use this service to create
user accounts and roles. Aws_syncr currently only supports creating and
modifying roles. These can be created under the roles section of your
configuration.
---
roles:
"ci/deployer":
description: Role for deploying my amazing application
allow_to_assume_me:
- { iam: "role/bamboo/bamboo-agent-role", account: devprod }
- { iam: "assumed-role/Stg-Administrator", account: stg, users: [smoore] }
- { iam: "assumed-role/Dev-Administrator", account: dev, users: [smoore] }
allow_permission:
- { action: "ec2:*", resource: "*" }
- { action: "route53:*", resource: "*" }
- { action: "autoscaling:*", resource: "*" }
- { action: "cloudformation:*", resource: "*" }
- { action: "elasticloadbalancing:*", resource: "*"}
- { action: "s3:*", resource: { "s3": "project-artifacts"} }
- { action: "iam:*", resource: { "iam": "__self__" } }
- { action: "iam:*", resource: { "iam": "role/project/*" } }
- { action: "iam:*", resource: { "iam": "instance-profile/project/*" } }
"project/instance":
description: Instance role for my project
make_instance_profile: true
allow_to_assume_me:
- service: ec2
allow_permission:
- { action: "s3:*", resource: { "s3": "project-artifacts" } }
- { action: "iam:*", resource: { "iam": "__self__" } }
This definition will create a role called deployer with a path of ci and a role called
instance with a path of project.
This definition make it so deployer has this trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::892834939:role/bamboo/bamboo-agent-role"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::382093840:assumed-role/Stg-Administrator/smoore"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::123456789:assumed-role/Dev-Administrator/smoore"
},
"Action": "sts:AssumeRole"
},
]
}
And the instance role has this trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The allow_permission block of the definition will create this inline policy
for deployer.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"route53:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"autoscaling:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"elasticloadbalancing:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::project-artifacts",
"arn:aws:s3:::project-artifacts/*"
],
"Effect": "Allow"
},
{
"Action": [
"iam:*"
],
"Resource": [
"arn:aws:iam::123456789:role/ci/deployer"
],
"Effect": "Allow"
},
{
"Action": [
"iam:*"
],
"Resource": [
"arn:aws:iam::123456789:role/project/*"
],
"Effect": "Allow"
},
{
"Action": [
"iam:*"
],
"Resource": [
"arn:aws:iam::023709156796:instance-profile/project/*"
],
"Effect": "Allow"
}
]
}
and the following policy for instance
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::project-artifacts",
"arn:aws:s3:::project-artifacts/*"
]
},
{
"Effect": "Allow",
"Action": "iam:*",
"Resource": "arn:aws:iam::123456789:role/project/instance"
}
]
}
And when you sync with stg, then the appropriate account ids in the policies
are replaced with the stg account id.
Available keys¶
You can specify the following options for each role:
- description
- The description given to the role
- make_instance_profile
- A boolean specifying whether to make an instance profile of the same name with this role attached to it.
- allow_to_assume_me, disallow_to_assume_me
- Used for allowing or disallowing certain trust relationships.
- permission, allow_permission, deny_permission
- Used for specifying statements to go into the role policy.
Statements¶
Go to the Statements section to see what are valid statements for the trust policy and role policy.