aws-service-operator icon indicating copy to clipboard operation
aws-service-operator copied to clipboard

Published 20 hours ago verified publisher icon amazon-archives

Create IAM Policy Resource

Open christopherhein opened this issue 5 years ago • 3 comments

This will allow you to create an IAM Policy that you can reference from an IAM Role, giving you the ability to give out specific permissions to every role.

Long term when you build a syncing tool, use this to load existing policies in IAM that way they can be referenced via the Roles OR use the same naming scheme to allow you to use any standard policy name.

apiVersion: operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: aws-operator
spec:
  dynamodb:
    list:
    - ListBackups
    - ListGlobalTables
    - ListTables
    read:
    - BatchGetItem
    - DescribeBackup
    - DescribeContinuousBackups
    - DescribeGlobalTable
    - DescribeGlobalTableSettings
    - DescribeLimits
    - DescribeReservedCapacity
    - DescribeReservedCapacityOfferings
    - DescribeStream
    - DescribeTable
    - DescribeTimeToLive
    - GetItem
    - GetRecords
    - GetShardIterator
    - ListStreams
    - ListTagsOfResource
    - Query
    - Scan
    write:
    - BatchWriteItem
    - CreateBackup
    - CreateGlobalTable
    - CreateTable
    - DeleteBackup
    - DeleteItem
    - DeleteTable
    - PurchaseReservedCapacityOfferings
    - PutItem
    - RestoreTableFromBackup
    - RestoreTableToPointInTime
    - TagResource
    - UntagResource
    - UpdateContinuousBackups
    - UpdateGlobalTable
    - UpdateGlobalTableSettings
    - UpdateItem
    - UpdateTable
    - UpdateTimeToLive
    # ...

christopherhein avatar Sep 29 '18 08:09 christopherhein

I'm not sure I understand where you are going with example provided. Wouldn't it make sense to have 'actions' and 'resources' as spec values?

apiVersion: operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: app-foo-dynamodb-access
spec:
  actions:
  - dynamodb:*
  resources:
  - arn:aws:dynamodb:us-east-2:123456789012:table/app-foo-*

sepulworld avatar Jan 04 '19 23:01 sepulworld

I'm not sure I understand where you are going with example provided. Wouldn't it make sense to have 'actions' and 'resources' as spec values?

apiVersion: operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: app-foo-dynamodb-access
spec:
  actions:
  - dynamodb:*
  resources:
  - arn:aws:dynamodb:us-east-2:123456789012:table/app-foo-*

Definitely, this will be really useful and I have some ideas around the resources, I'm trying to design a better strategy for referencing resources similar to how k8s core does with configmaps and secrets I could image this being something like:

- arn: {arn} # or arn with wildcards
  resourceRef: # optional if you'd like to reference a Kubernetes managed AWS Resource
    name: {name}
    namespace: {namespace}

christopherhein avatar Jan 15 '19 19:01 christopherhein

Wanted to checkin and see if any more progress has been made on the design of this. I'm curious how you would address assume role and inline policies.

micahlmartin avatar Mar 14 '19 00:03 micahlmartin