Statements¶
You can specify iam role policies, iam role trust policies, s3 bucket policies and kms grants with aws_syncr.
Trust policies¶
{service: ec2}
Sets the principle to
{"Service": "ec2.amazonaws.com"}
You’ll want to do this if you want to use metdata credentials on an ec2 box
<iam_specifier>
See below, it specifies an iam resource
Basically allows the iam role specified to call assume role to be this role.
{federated: <string>}
Sets the principle to
{"Federated": <string>}
With an
Action
ofAssumeRoleWithSAML
.{federated: <iam_specifier>}
Sets the principle to
{"Federated": <expanded iam specifier>}
With an
Action
ofAssumeRoleWithSAML
.
Anything in the dictionary starting with an upper case character is included as is in the statement.
Also, the difference between allow_to_assume_me
and disallow_to_assume_me
is one sets Principle
in the trust document, whereas the other sets NotPrinciple
.
Permission statements¶
You can specify these under a role policy and under an s3 bucket policy
{"action": <action>, resource: <resource>, "allow":<True|False>}
Allows
<action>
for specified<resource>
(string or list of strings)“allow” will override any default allow or “Effect” you specify
And anything starting with an upper case character is included in the statement as is.
allow_permission
statements will defaultallow
to True anddeny_permission
statements will defaultallow
to False.
Where action
and resource
can be notaction
and notresource
.
And <resource>
can be:
- A single string
- Placed in the policy as a list of that one string
- A list of
<resource>
- Placed in the policy with each
<resource>
expanded <iam_specifier>
- See below, it specifies an iam resource
<kms_specifier>
- See below, it specifies a kms resource
{"s3": <s3_specifier>}
- “arn:aws:s3:::<s3_specifier>
{"s3": [<s3_specifier>, <s3_specifier>, ...]}
- [“arn:aws:s3:::<s3_specifier>”, “arn:aws:s3:::<s3_specifier>”, …]
<arn_specifier>
- See below, it specifies a generic arn
Where <iam_specifer>
can be:
{"iam":"__self__"}
- arn for the role/user this policy is being given to
{"iam":<specifier>, "account":<account>"}
“arn:aws:iam::<account>:<specifier>”
Where account is retrieved from our accounts dictionary from accounts.yaml
Where <kms_specifier>
can be:
{"kms": "__self__"}
- arn for the kms this policy is being given to
{"kms": "<alias>", "location":<location>, "account":<account>}
“arn:aws:kms::<account>:alias/<alias>”
Where account is retrieved from our accounts dictionary from accounts.yaml
Where <s3_specifier>
can be:
__self__
- arn for the bucket this policy is being given to
<name>
- Name of a bucket
<name>/<path>
- Name of a bucket with some path
Where <arn_specifier>
is
{"arn":<service>, "location":<location>, "account":<account>, "identity":<identity>}
- “arn:aws:<service>:<location>:<account>:<identity>”
Note
For the special specifiers, account and identity can be a list of values.
Grant statements¶
Grants can be specified as
{"operations": [<operation>, ...], "grantee": [<iam_specifier>, ...], "retiree": [<iam_specifer>, ...], "grant_tokens": [<grant_token>, ...], "constraints": <constraints>}
Onlyoperations
andgrantee
are required. Also, capitalized keys are included in the policy.
See http://docs.aws.amazon.com/kms/latest/developerguide/grants.html for more information.