How I Stopped Worrying and Learned to Give Myself Any AWS Permissions I Wanted

I'm happy to have some ideas worth blogging about at last!  Here's a really big one I stumbled across if you're in an organization that wants to keep permissions relatively locked down on AWS (in terms of performing actions on resources), but still wants to enable individual users the ability to interact with their own stacks as needed without waiting on admins.


The TL/DR Of It

Using AWS CloudFormation, you can deploy a stack consisting of a single resource.  This resource is of type AWS::IAM::ManagedPolicy.  Attach all the policy statements you want, then add Users consisting of any IAM users on the AWS account.  Voila, instant permissions to do whatever.


More About the Process

Let's say you need to tweak various aspects of your AWS setup.  Maybe you have a DynamoDB entry that needs to be manually tweaked, a Lambda function where the concurrency needs to be adjusted, an SQS queue where the maximum age of a message needs to be adjusted, or files sitting around in an S3 bucket that are disrupting your Glue crawlers from processing the data into Athena or Redshift Spectrum correctly.  Doing any of these (and more) can be difficult if you use CloudFormation (or some other infrastructure-as-code) to set up the resources, but then do not have permissions on the console to make adjustments to deal with emergent situations.  Maybe you're uncertain that a deployment would disrupt everything in your queue, cost a bunch of time to redeploy code that doesn't actually need redeployment, etc.  Or, you're having to work late or over the weekend, and aren't able to bother any admins who are able to help you adjust the dials.

The process of deploying such a CloudFormation template is pretty simple.  In the Resources section of your CloudFormation template, define an AWS::IAM::ManagedPolicy resource.  In your PolicyDocument, define an array of Statements that list a series of Actions you Allow on one or more Resources.  If you have different actions you want to perform on different resources, simply add another item in the Statement array with its own Sid and other parameters.  Finally, on the same level as your PolicyDocument, you will define Users consisting of IAM users belonging to the AWS account.

For example, if your team needs access to modify/access records on your DynamoDB, and to modify the provisioned concurrency for a Lambda function, you could write the following document:

Description: AWS permissions for operators on the team

Parameters:

  MyTable:
    Description: Name of the DynamoDB table
    Type: String

  MyLambda:
    Description: Name of the Lambda function
    Type: String

Resources:

  MyTeamPermissionPolicy:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      PolicyDocument:
        Version: `2012-10-17'
        Statement:
          - Sid: AllowTeamDynamoPermissions
            Effect: Allow
            Action:
              - "dynamodb:GetItem"
              - "dynamodb:PutItem"
              - "dynamodb:UpdateItem"
              - "dynamodb:DeleteItem"
              - "dynamodb:Query"
              - "dynamodb:BatchWriteItem"
              - "dynamodb:BatchGetItem"
              - "dynamodb:Scan"
            Resource:
              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${MyTable}"
              - !Sub "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${MyTable}/index/*"
          - Sid: AllowTeamLambdaConcurrencyAdjustments
            Effect: Allow
            Action: "lambda:PutFunctionConcurrency"
            Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function/${MyLambda}"
      Users:
        - "alice.cooper"
        - "bob.marley"
        - "carole.king"

Assuming those three esteemed and eclectic performers have IAM users set up on your AWS account, you would be able to take this YAML code, create a Stack out of it in CloudFormation, and grant them access to perform these actions on these resources, which might clear their path to perform actions that were otherwise not granted by the admins.  Additional permissions can be granted as they come up as error messages from the AWS console or CLI.

Use at your own risk!

Comments

Post a Comment

Popular posts from this blog

Making a ROM hack of an old arcade game

Image
(Addendum: Follow along my thought process below with this extra pedagogical material:  https://www.slideshare.net/StephenWylie3/process-of-arcade-rom-hacking  ) An interesting work project, right? I was invited to take my Giant NES Controller to a recruiting event for work taking place at a local brewery.  But you can't just have an NES controller without anything to play, right?  Thus, I pitched a couple ideas on custom games to go along with the giant controller since I didn't want participants playing anything standard either.  The thing they agreed to was to feature the Tapper arcade game, by Bally/Midway in 1983, but modified to show the brewery's logo instead of being Budweiser-branded like it was originally. My handiwork, about 80% done, and with a tiny glitch.  Can you spot the remaining issues? Now you might be thinking Tapper wasn't ever ported to NES, and that's correct.  However, with the help of the MAME arcade emulator and a Hyperkin USB-&
Read more

Start Azure Pipeline from another pipeline with ADO CLI & PowerShell

Image
Are you looking to find the one simple command that can kick off a pipeline from another pipeline in Azure DevOps? You may have found a lot of annoying restrictions using straight YAML because so many things have to be known ahead-of-time (i.e. set using compile-time variables). This prevents you from doing such things as conditionally running pipelines, utilizing arrays defined at runtime as parameters into many ADO tasks/commands, or performing manipulations on runtime data for use in subsequent commands. You can't even kick off a pipeline without the previous one finishing (and invoking a pipeline trigger ). Follow along as I explore a scripted solution to solve my problem. My Use Case I want to provide fresh Databricks images on a private Azure Container Registry (ACR). This way, data scientists are not confounded by changes to Databricks runtimes when their clusters start and stop, since changes can prevent their package & library installation scripts from running successf
Read more

Less Coding, More Prompt Engineering!

Image
Software developers have taken note of the efficacy of large language models such as ChatGPT towards automating particular development tasks. Depending on the language in use and what is to be accomplished, LLMs can provide a concise answer that circumvents the shortcomings of documentation that is either incomplete or tries to "boil the ocean." LLMs work best at generating code when the problem is well-defined and the language is fairly static and consistent. For instance, I have had a great deal of success when asking for code to perform basic operations on Amazon DynamoDB in the Node.js SDK 3. It was a bit more difficult to have it write infrastructure as code for AWS using the CDK framework in Python 3, but it still produced decent enough code that I at least knew where to start in looking at lengthy documentation. However, writing native mobile code such as Kotlin for Android or Swift for iOS yields some rather incomprehensible and outdated results. Besides ChatGPT, ther
Read more