Sign in

AWS Roles and Policies

Working on cloud native solutions can be slow due to long iteration times. This can be dramatically shortened if the developer achieves local iterations as much as possible.

Prerequisites

  • Access to AWS
  • Terraform installed
  • Vaulted installed and configured

Overview

You are working on a programmatic IAM Role for you application and want to test this roles locally. You need to:

  • Allow your user profile to assume the role
  • Create a Vaulted configuration where you are assuming the role
  • Start a Vaulted shell based on this configuration
  • Now you have the role and can test locally

Assume Role

Example is in Terraform. This is a sample role.

resource "aws_iam_role" "sample-role" {
  name = "${var.prefix}-sample-role"
}

We want to allow our own user to assume it, so change to this:

resource "aws_iam_role" "sample-role" {
  name = "${var.prefix}-sample-role"
  assume_role_policy = "${data.aws_iam_policy_document.policy-doc.json}"
}

data "aws_iam_policy_document" "policy-doc" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type = "AWS"
      identifiers = ["arn:aws:iam::[TRUSTED_ACCOUNT]:user/[USER_NAME]"]
    }
  }
}

Fill in the correct values for TRUSTED_ACCOUNT and USER_NAME. These vaules can be found in the aws-account-setup git repo.

Vaulted

The next step is automating authentication using Vaulted.

Setup

  • Copy your existing vaulted config. vaulted cp EXISTING_VAULT NEW_VAULT
  • Edit this new copy vaulted edit NEW_VAULT
  • Navigate to AWS and then Role arn a and then r
  • Paste arn to the role you want to assume. Find arn in AWS IAM
  • Quit and save q and y

Read more in the [Vaulted chapter][vaulted-chapter]

Testing in Vaulted shell

Start a Vaulted shell vaulted shell NEW_VAULT. And now you can execute commands as if you have only the role you want to test. For example aws s3 ls to see what S3 buckets the role can see.

Local workflow

Your workflow is now:

  1. Terraform policies onto the role
  2. Test locally using aws CLI/python script or whatever you need