AWS IAM is a service to control permission over AWS’s different services, which is pretty useful for restricting access level for CI services or other account.

AWS itself actually already provided templates policy but it usually still too wide for specific usage. Here is just to name a few common usages for (myself) reference.

S3

  • Deploy to specific bucket 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10

    {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":["s3:PutObject"],
      "Resource":"arn:aws:s3:::[DEPLOY_BUCKET]/*"
    }
  ]
}

  • For Ansible s3 module get object 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

    {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mah-bucket",
        "arn:aws:s3:::mah-bucket/*"
      ]
    }
  ]
}

IAM

  • Allow user create/list/update/delete on their own Access Key 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1495696888000",
      "Effect": "Allow",
      "Action": [
        "iam:CreateAccessKey",
        "iam:DeleteAccessKey",
        "iam:GetAccessKeyLastUsed",
        "iam:ListAccessKeys",
        "iam:UpdateAccessKey"
      ],
      "Resource": [
        "arn:aws:iam::[USER_ID]:user/${aws:username}"
      ]
    }
  ]
}

Amazon EC2 Container Registry (ECR)

  • Image builder (push image) 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:CompleteLayerUpload",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ],
      "Resource": "arn:aws:ecr:[AWS_REGION]:[USER_ID]:repository/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken"
      ],
      "Resource": "*"
    }
  ]
}

  • Image reader (pull image) 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages"
      ],
      "Resource": "arn:aws:ecr:[AWS_REGION]:[USER_ID]:repository/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken"
      ],
      "Resource": "*"
    }
  ]
}

DynamoDB

  • Hashicorp Vault DynamoDB Storage Backend 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:BatchWriteItem",
        "dynamodb:CreateTable",
        "dynamodb:DeleteItem",
        "dynamodb:DescribeTable",
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query",
        "dynamodb:Scan",
        "dynamodb:UpdateItem",
        "dynamodb:UpdateTable"
      ],
      "Resource": [
        "arn:aws:dynamodb:[AWS_REGION]:[USER_ID]:table/[VAULT_TABLE]"
      ]
    }
  ]
}

Reference