Beginner’s Guide to IAM: IAM, Roles, Policies, Policy Attachments with Terraform

IAM is short for Identity and Access Management.

  1. What’s the difference between an IAM user and role?

An IAM user has long term credentials and directly interacts with AWS services. An IAM role does not have any credentials and don’t directly access AWS services. IAM roles are assumed by entities (such as users, applications or services like EC2).

https://aws.amazon.com/iam/faqs/

2. What’s an IAM Policy?

An IAM Policy allows access  -i.e. they define permissions. You create a policy then attach it to an IAM identity or AWS resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

3. what’s an IAM Role Policy Attachment?

This can be found in Terraform. e.g.

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

It attaches an IAM Policy to an IAM role and typically looks like this:

resource “aws_iam_role_policy_attachment” “test-attach” {
role = “${aws_iam_role.role.name}”
policy_arn = “${aws_iam_policy.policy.arn}”
}

https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

4. Principal

The Principalelement specifies the AWS user, account, service that is allowed or denied access to a resource.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

5. assume_role_policyis very similar but slightly different than a standard IAM policy

https://www.terraform.io/docs/providers/aws/r/iam_role.html

6. Service Roles are IAM roles that can be assumed by an AWS service

e.g.

Note how there are 2 Services listed. The Service key must be unique. So it’s value must be a list.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

and a list of Services that work with IAM: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

 

Leave a Reply

Your email address will not be published. Required fields are marked *