Identity Access Management (IAM)

IAM is a service enables you to control access to AWS services and resources securely.

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

You can create roles in IAM and manage permissions to control which operations can be performed by the entity, or AWS service, that assumes the role.

Following are the resource types in terraform configuration files to create IAM users, groups, roles, and policies.

aws_iam_user – provides an IAM user
aws_iam_group – provides an IAM group
aws_iam_role – provides an IAM role
aws_iam_policy – provides an IAM policy
data source: aws_iam_policy_document – Generates an IAM policy document in JSON format
aws_iam_policy_attachment – Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)

IAM User

The resource type “aws_iam_user” provides an IAM user.

resource "aws_iam_user" "devuser" {
  name = "tom"
}

If you want to give access to AWS console, log in to the console and generate a password to the user.

To provide programmatic access, create access key using resource type “aws_iam_access_key”

resource "aws_iam_access_key" "devuser_access_key" {
  user = "${aws_iam_user.devuser.name}"
  pgp_key = < base-64 encoded PGP public key >
}

You can get user’s access ID and secret key, use the output to print to the console.

output "access_key" {
  value = "${aws_iam_access_key.devuser_access_key.id}"
}

output "secret" {
  value = "${aws_iam_access_key.devuser_access_key.encrypted_secret}"
}

You can add user policy to restrict the access.

resource "aws_iam_user_policy" "devuser_user_policy" {
  name = "devuser_user_policy"
  user = "${aws_iam_user.devuser.name}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF }

IAM Policy

The resource type “aws_iam_policy” provides an IAM policy.

Following are the arguments supported

  • name
  • name_prefix
  • description
  • path (default “/”)
  • policy (mandatory)
resource "aws_iam_policy" "ec2-monitor" {
  name = "ec2-monitor"
  description = "Describe EC2 Resource"
  policy = << EOF
{
  "Version": "2012-10-17",
  "Statement": [
   {
     "Action": [
       "ec2:Describe*"
     ],
    "Effect": "Allow",
    "Resource": "*"
   }
  ]
}
EOF
}

Policies can be attached to users, groups, roles with “aws_iam_policy_attachment” resource type.

Following are the arguments supported

  • name (mandatory)
  • users
  • roles
  • groups
  • policy_arn (mandatory)
resource "aws_iam_user" "test-user" {
  name = "test-user"
}
resource "aws_iam_role" "test-role" {
  name = "test-role"
}
resource "aws_iam_group" "test-group" {
  name = "test-group"
}
resource "aws_iam_policy" "test-policy" {
  name = "test-policy"
  description = "A test policy"
  policy = << EOF
{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Action": [
     "ec2:Describe*"
    ],
    "Effect": "Allow",
    "Resource": "*"
  }
 ]
}
EOF
}
resource "aws_iam_policy_attachment" "test-attach" {
  name = "test-attachment"
  users = ["${aws_iam_user.test-user.name}"]
  roles = ["${aws_iam_role.test-role.name}"]
  groups = ["${aws_iam_group.test-group.name}"]
  policy_arn = "${aws_iam_policy.test-policy.arn}"
}

IAM Roles

The resource type “aws_iam_role” provides an IAM role.

Following are the arguments supported

  • name
  • name_prefix
  • assume_role_policy (mandatory)
  • path
  • description
  • max_session_duration
  • force_detach_policies
  • permissions_boundary
  • tags
resource "aws_iam_role" "test_role" {
  name = "test_role"
  assume_role_policy = << EOF
{
  "Version": "2012-10-17",
  "Statement": [
  {
     "Action": "sts:AssumeRole",
     "Principal": {
       "Service": "ec2.amazonaws.com"
      },
     "Effect": "Allow",
     "Sid": ""
  }
 ]
}
EOF
  tags = {
    tag-key = "tag-value"
  }
}

You can create a policy for an IAM role using “aws_iam_role_policy” resource type.

Following are the arguments supported

  • role (mandatory)
  • policy (mandatory)
  • name
  • name_prefix
resource "aws_iam_role_policy" "test_policy" {
  name = "test_policy"
  role = "${aws_iam_role.test_role.id}"
  policy = << EOF
{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Action": [
      "ec2:Describe*"
     ],
    "Effect": "Allow",
    "Resource": "*"
  }
 ]
}
EOF
}

To attach an IAM role policy to IAM role, create a resource with “aws_iam_role_policy_attachment” resource type.

Following are the arguments supported

  • role (mandatory)
  • policy_arn (mandatory)
resource "aws_iam_role_policy_attachment" "test-attach" {
  role = "${aws_iam_role.test_role.name}"
  policy_arn = "${aws_iam_policy.test_policy.arn}"
}