IAM provides a way of controlling the access to AWS resource. IAM consist of groups, users, and roles.
Users can have groups. Where they will inherit the privilages of that group. For example, administrators group. Users authenticate via their username and password, or using an access key and a secret key.
Roles can give users and services temporary access to different resources that they usually don't have access. These roles can be attached to EC2 instance. From that instance a user can obtain access credentials. These roles then allows the users to to assume the role attached and have access to to resources to do something otherwise they cannot.
In this section, first I will create a new administrator group and then create and add two admin users to the group.
Let's start by creating a file with the name vars.tf,
variable "AWS_REGION" {
default = "eu-west-1"
}
Create a file with the name provider.tf,
provider "aws" {
region = var.AWS_REGION
}
Finally, the iam.tf file,
# group definition
resource "aws_iam_group" "administrators" {
name = "administrators"
}
resource "aws_iam_policy_attachment" "administrators-attach" {
name = "administrators-attach"
groups = [aws_iam_group.administrators.name]
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
# user
resource "aws_iam_user" "admin1" {
name = "admin1"
}
resource "aws_iam_user" "admin2" {
name = "admin2"
}
resource "aws_iam_group_membership" "administrators-users" {
name = "administrators-users"
users = [
aws_iam_user.admin1.name,
aws_iam_user.admin2.name,
]
group = aws_iam_group.administrators.name
}
output "warning" {
value = "WARNING: make sure you're not using the AdministratorAccess policy for other users/groups/roles. If this is the case, don't run terraform destroy, but manually unlink the created resources"
}
In here, I first create an IAM group named administrators. Then I attach the IAM policy arn:aws:iam::aws:policy/AdministratorAccess to it. Which means after the IAM policy attachment, new IAM group will have administrator privileges. Then I create two users, admin1 and admin2. To give them administrator privileges, I create an IAM groupp membership for these users in administrators group.
Initialize the providers,
$ terraform init
Apply the changes,
$ terraform apply
Don't forget to clean up once experiments are done,
$ terraform destroy
Now I am going to create an S3 bucket and then provision an EC2 instance. Then I'm going to assign an IAM role to that EC2 instace allowing it to access the the S3 bucket.
In here, I first define the IAM role for the S3 bucket and specify to assume the provided role policy. In the role policy I define the role just craeted and the S3 resources, both the bucket itself and it's subpaths.
Then instance.tf,
resource "aws_instance" "example" {
ami = var.AMIS[var.AWS_REGION]
instance_type = "t2.micro"
# the VPC subnet
subnet_id = aws_subnet.main-public-1.id
# the security group
vpc_security_group_ids = [aws_security_group.example-instance.id]
# the public SSH key
key_name = aws_key_pair.mykeypair.key_name
# role:
iam_instance_profile = aws_iam_instance_profile.s3-mybucket-role-instanceprofile.name
}
Special thing to notice in here is that I'm specifying the IAM instance profile created earlier.
Generate ssh keys,
$ ssh-keygen -f mykey
Initialize the providers,
$ terraform init
Apply the changes,
$ terraform apply
Don't forget to clean up once experiments are done,