Centralized IAM policies

[CakeHockey]

Hi, I've got an IAM policy that I'm trying to apply in any of my organizations' account, in AWS you have to manually apply the policy in each account, is there a way to do it one time for all with ADF? Thanks

[StewartW]

With ADF, you can easily create a pipeline that will deploy the IAM policy to each individual account. Is that what you're after? There's no mechanism for sharing an IAM policy across multiple accounts and only creating it once.

[AndreasAugustin]

Hi @CakeHockey .

I think it is possible within your bootstrap repository (AWS codecommit repository located in your management account).

There you find an example file how to deploy Policies and Assign to roles in all accounts (or in OU path). adf-bootstrap/example-global-iam.yml When you remove the example- part, it will be used. In this file you are able to create custom policies (context is here ADF deployments).

When no Role is used (delete the role from policy) it should just create the policy.

You can do that also for special OUs (just use a folder structure with the OU names).

I am not 100% sure, but I think it is working (not tried without adding a role).

Am not sure if that is the ADF intended way of doing so. If you need those Policies in other context then ADF deployments, I would rather create those policies with ADF pipelines. That is way more convenient and easier to maintain (like @StewartW proposed)

[sbkok]

I'm closing this issue as it has been inactive for a long time. This probably means that it is not reproducible or it has been fixed in the meanwhile.

Please reopen if you still encounter this issue with the latest stable version.

Thank you!