I am defining attribute-based access control (ABAC) for AWS IAM within my terraform file. Sample policy is
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${aws:PrincipalTag/team}*"
}
]
}
EOF
}
How do I call that ${block} within terraform? Terraform translates that into its own variables.
It worked with extra $ in the string.
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-$${aws:PrincipalTag/team}*"
}
]
}
EOF
}
I also tried with variables.tf file and referenced the variable here in json.
variables.tf
variable "principaltag" {
default = "$${aws:PrincipalTag/tedteam}"
}
****
policy.tf
resource "aws_iam_role_policy" "testS3" {
name = "testS3"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-${var.principaltag}*"
}
]
}
EOF
}
Related
I have been trying to add a json policy inside a yaml file but unsuccessful so far
custom:
deploymentBucket:
versioning: true
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::deeperion-deployment-bucket",
"arn:aws:s3:::deeperion-deployment-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
below serverless framework plugin allows you to add bucket policy to the deployment bucket
https://www.serverless.com/plugins/serverless-deployment-bucket
I have s3 buckets named as per team names. For example the below policy works if I want to provide Get, List permissions by using a PrincipalTag in Condition operator. But I'll have to define similar policy by changing the S3 arn for every team.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::companyName-TeamName*",
"arn:aws:s3:::companyName-TeamName*/*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/teamname": "${aws:PrincipalTag/teamname}"
}
}
}
]
}
What if I want to define the resource arn using the PrincipalTag like below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::companyName-${aws:PrincipalTag/teamname}*",
"arn:aws:s3:::companyName-${aws:PrincipalTag/teamname}*/*"
],
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/teamname": "${aws:PrincipalTag/teamname}"
}
}
}
]
}
All teams assumes their roles which has a tag 'teamname':'Their Team Name'
Can I define a policy like this? This will reduce the redundancy of policies. I do not want to define all the S3 arns in the resource section, it will be long list of teams and their buckets.
Wondering if it's possible to have a policy defined in a .json file generated by the AWS policy generator and have that file passed into the cloudformation s3bucket policy as a parametervalue.
So the policy.json file looks something like the following:
{
"Id": "Policyid",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmtid",
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket name>",
"Principal": {
"AWS": [
"<user>"
]
}
}
]
}
Now I want to call with something like this
aws cloudformation create-stack --stack-name mystack --template-body file:///mystackcreation.json --parameter ParameterKey=PolicyDocument,ParameterValue=policy.json
Where mystackcreation.json is a test file which looks like
{
"Parameters": {
"PolicyDocument": {
"Type": "String",
"Description": ""
}
},
"Resources" : {
"S3BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"Bucket" : mybucket,
"PolicyDocument" : { "Ref" : "PolicyDocument" }
}
}
}
}
Does anyone know how to create a policy using cloud formation and then have another cloud formation template that assigns that policy to a role?
I'm looking at http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html and that doesn't answer my question.
The link between a policy and a role is declared in the AWS::IAM::Policy resource. So, for instance, you can have one stack export the role and another stack import it using the intrinsic function Fn::ImportValue and link it to a policy resource.
Exporting stack:
Resources:
myRole:
Type: "AWS::IAM::Role"
Properties:
...
Outputs:
exportedRole:
Value: !Ref myRole
Export:
Name: "myExportedRole"
Importing stack:
Resources:
myPolicy:
Type: "AWS::IAM::Policy"
Properties:
Roles:
- !ImportValue myExportedRole
...
You can create the role and the policy at the same time. Here is an example:
"LambdaFunctionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "AlexaSkillCloudWatchLogsAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLogging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
}
]
}
}
This resource creates a policy for a Lambda function with a policy included. Then you can include the ARN of the role in a lambda function in the same template with "Fn::GetAtt"
(background) Currently I am trying to make a general policy for anyone who needs an account at my company so that they have access to anything they need on AWS except the ability to change their own permissions. The idea there is to give them the managed policy "PowerUserAccess". Also, in their account, they will have an S3 bucket with billing permissions, "arn:aws:s3:::c3-uits-s3".
(problem) I have try to make this s3 bucket read only, so that they can see/download their billing, but not be able to upload/delete from the bucket. My first attempt was to
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
deny every action but Get* and List* but with those permissions I was still able to upload/delete, so I tried to get only the necessary permissions from there to only view and do nothing else and I came up with
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Deny",
"NotAction": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
Which still had the same effect of being able to upload/delete. Another variation I tried was
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"s3:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"NotResource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
},
{
"Effect": "Deny",
"Action": [
"s3:Put*",
"s3:Create*",
"s3:Delete*",
"s3:Replicate*"
],
"Resource": [
"arn:aws:s3:::c3-uits-s3"
]
}
]
}
any help or pointers in the right direction would be greatly appreciated!
The Resource for a bucket is "arn:aws:s3:::bucket-name" but the Resource for the objects in a bucket is "arn:aws:s3:::bucket-name/*".
You aren't denying any operations on objects, here.