What is the meaning of aws_iam_role and aws_iam_role_policy?
Question
I want my AWS Lambda function to access DynamoDB table using Terraform. For that I went to terraform registry - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy and used the following code for creating IAM role by taking help from the registry.
resource "aws_iam_role_policy" "test_policy" {
name = "test_policy"
role = aws_iam_role.test_role.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement":[{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:987456321456:table/myDB"
}
]
}
EOF
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
Then I created resources for Lambda and DynamoDB using terraform codes. And at last I have deployed them. My deployment was successful and both of the resources worked as planned.
But i have not understood the meaning of aws_iam_role_policy and aws_iam_role . And what is assume_role_policy attribute inside aws_iam_role and why it is used?
2 answers
solution1
1 ACCPTED 2020-10-26 09:28:59
The IAM role is the identity that is performing the interaction with AWS services, this is either attached to a service (such as EC2 or Lambda) or assumed via another identity (such as IAM user or an external source such as Google).
A assume role policy is included to whitelist which entity types can assume that role, this safeguards every service being able to become that role. In your case you're limiting the IAM role to only be assumed by the Lambda service.
Finally you have the AWS IAM role policy, an IAM policy is a JSON definition of the permitted API actions from the attached resource. They can come in one of serveral types:
- AWS Managed Policy - These are defined by AWS and read only to the user, they can be attached to an IAM user, role or group.
- Customer Managed Policy - These are defined by you the customer, you can attach them to users, roles or groups.
- Inline policy - These policies are directly attached to a single user, group or role. Cannot be shared.
Your resource has an inline policy which means only that IAM role will have that specific policy attached.
solution2
0 2020-10-26 09:31:10
IAM Role is look like IAM user. Roles and users are both AWS identities with permissions policies. So basically, Policies are attached to IAM Role and IAM User. IAM Roles also can attached to IAM User. For example, In your company, there're 5 developers. You can't attach one by one with many policies. The solution is you just created the role so called "Developer" and attach this role with policies. After that, you attach every user with this role. So maintenance is also quite easy. For more details https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.