Lessons

Attaching IAM policies to a role for specific permissions

In this lesson, we will explore how to attach IAM policies to a role in AWS for specific permissions. IAM (Identity and Access Management) policies are used to define permissions for AWS resources. By attaching IAM policies to a role, you can grant specific permissions to that role, allowing users or services to access resources in your AWS account.

Understanding IAM Policies

Before we dive into attaching IAM policies to a role, let’s first understand what IAM policies are and how they work. IAM policies are JSON documents that define permissions for AWS resources. These policies can be attached to users, groups, or roles in your AWS account.

IAM policies consist of statements that specify the actions that are allowed or denied on specific resources. Each statement includes an effect (allow or deny), a list of actions, a list of resources, and optional conditions. By crafting IAM policies carefully, you can control access to your AWS resources effectively.

Creating an IAM Role

To attach IAM policies to a role, you first need to create an IAM role in your AWS account. Roles are used to delegate permissions to entities that you trust, such as AWS services or external users. Here’s an example of how you can create an IAM role using AWS CDK with Typescript:

import * as iam from '@aws-cdk/aws-iam';

const role = new iam.Role(this, 'MyRole', {
  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
  roleName: 'MyLambdaRole',
});

In this example, we create a new IAM role named ‘MyLambdaRole’ that can be assumed by the AWS Lambda service. This role will be used to grant permissions to Lambda functions in our account.

Attaching IAM Policies to a Role

Once you have created an IAM role, you can attach IAM policies to it to grant specific permissions. IAM policies can be attached to a role using the addManagedPolicy method. Here’s an example of how you can attach an existing IAM policy to a role using AWS CDK with Typescript:

import * as iam from '@aws-cdk/aws-iam';

const policy = iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonS3ReadOnlyAccess');
role.addManagedPolicy(policy);

In this example, we attach the ‘AmazonS3ReadOnlyAccess’ managed policy to the IAM role we created earlier. This policy grants read-only access to Amazon S3 buckets in our account.

Creating Custom IAM Policies

In addition to attaching existing managed policies, you can also create custom IAM policies to define specific permissions for your resources. Custom IAM policies can be defined as JSON documents and attached to a role using the addManagedPolicy method. Here’s an example of how you can create a custom IAM policy and attach it to a role using AWS CDK with Typescript:

import * as iam from '@aws-cdk/aws-iam';

const customPolicy = new iam.Policy(this, 'CustomPolicy', {
  statements: [
    new iam.PolicyStatement({
      actions: ['s3:GetObject'],
      resources: ['arn:aws:s3:::my-bucket/*'],
      effect: iam.Effect.ALLOW,
    }),
  ],
});

role.attachInlinePolicy(customPolicy);

In this example, we create a custom IAM policy that allows the role to get objects from a specific S3 bucket. We then attach this custom policy to the IAM role we created earlier.

Testing IAM Permissions

Once you have attached IAM policies to a role, it’s important to test the permissions to ensure that they are working as expected. You can test IAM permissions by assuming the role and attempting to perform the actions specified in the policies.

You can assume a role using the AWS CLI with the sts assume-role command. Here’s an example of how you can assume a role and list the contents of an S3 bucket using the AWS CLI:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyLambdaRole --role-session-name test-session
aws s3 ls s3://my-bucket/

In this example, we assume the ‘MyLambdaRole’ IAM role and list the contents of the ‘my-bucket’ S3 bucket. If the permissions are set up correctly, you should be able to list the contents of the bucket without any errors.

Conclusion

In this lesson, we have learned how to attach IAM policies to a role in AWS for specific permissions. By attaching IAM policies to a role, you can grant fine-grained permissions to users or services in your AWS account. We have explored how to create IAM roles, attach existing managed policies, create custom IAM policies, and test IAM permissions using practical examples with AWS CDK and Typescript.

Key learnings from this lesson include:

  • IAM policies are used to define permissions for AWS resources.
  • IAM policies can be attached to roles to grant specific permissions.
  • You can attach existing managed policies or create custom IAM policies for fine-grained control.
  • Testing IAM permissions is essential to ensure that the permissions are set up correctly.

By mastering the art of attaching IAM policies to roles, you can secure your AWS resources and control access effectively in your account.

Share :