Create IAM Role Resource

[christopherhein]

This will allow you to model an IAM role for your applications. These will reference policy names either via the name in IAM from defaults or using the IAM Policy resource in #58.

apiVersion: operator.aws/v1alpha1
kind: IAMRole
metadata:
  name: aws-operator
spec:
  policies:
  - aws-operator
  - AdministratorAccess

This should be a cluster-wide resource, as well when they use a standard policy name it should use aws as the account id in the arn.

whitelisted policy names

WAFRegionalLoggingServiceRolePolicy
WAFLoggingServiceRolePolicy
VMImportExportRoleForAWSConnector
TranslateReadOnly
TagGovernancePolicy
SimpleWorkflowFullAccess
ServiceCatalogEndUserAccess
ServiceCatalogAdminReadOnlyAccess
ServerMigrationServiceRole
ServerMigrationConnector
SecretsManagerReadWrite
ResourceGroupsandTagEditorReadOnlyAccess
ResourceGroupsandTagEditorFullAccess
ReadOnlyAccess
RDSCloudHsmAuthorizationRole
QuickSightAccessForS3StorageManagementAnalyticsReadOnly
NeptuneReadOnlyAccess
NeptuneFullAccess
NeptuneConsoleFullAccess
LexChannelPolicy
LexBotPolicy
IsengardControllerPolicy
IAMUserSSHKeys
IAMUserChangePassword
IAMSelfManageServiceSpecificCredentials
IAMReadOnlyAccess
IAMFullAccess
GreengrassOTAUpdateArtifactAccess
FMSServiceRolePolicy
ElastiCacheServiceRolePolicy
DynamoDBReplicationServiceRolePolicy
DAXServiceRolePolicy
ComprehendReadOnly
ComprehendFullAccess
CloudWatchReadOnlyAccess
CloudWatchLogsReadOnlyAccess
CloudWatchLogsFullAccess
CloudWatchFullAccess
CloudWatchEventsServiceRolePolicy
CloudWatchEventsReadOnlyAccess
CloudWatchEventsInvocationAccess
CloudWatchEventsFullAccess
CloudWatchEventsBuiltInTargetExecutionAccess
CloudWatchAgentServerPolicy
CloudWatchAgentAdminPolicy
CloudWatchActionsEC2Access
CloudSearchReadOnlyAccess
CloudSearchFullAccess
CloudHSMServiceRolePolicy
CloudFrontReadOnlyAccess
CloudFrontFullAccess
AWSXrayWriteOnlyAccess
AWSXrayReadOnlyAccess
AWSXrayFullAccess
AWSWAFReadOnlyAccess
AWSWAFFullAccess
AWSTrustedAdvisorServiceRolePolicy
AWSSupportAccess
AWSStorageGatewayReadOnlyAccess
AWSStorageGatewayFullAccess
AWSStepFunctionsReadOnlyAccess
AWSStepFunctionsFullAccess
AWSStepFunctionsConsoleFullAccess
AWSSSOServiceRolePolicy
AWSSSOReadOnly
AWSSSOMemberAccountAdministrator
AWSSSOMasterAccountAdministrator
AWSShieldDRTAccessPolicy
AWSServiceRoleForEC2ScheduledInstances
AWSServiceCatalogEndUserFullAccess
AWSServiceCatalogAdminFullAccess
AWSResourceGroupsReadOnlyAccess
AWSQuickSightListIAM
AWSQuickSightIoTAnalyticsAccess
AWSQuickSightDescribeRedshift
AWSQuickSightDescribeRDS
AWSQuicksightAthenaAccess
AWSPriceListServiceFullAccess
AWSOrganizationsServiceTrustPolicy
AWSOpsWorksRole
AWSOpsWorksRegisterCLI
AWSOpsWorksInstanceRegistration
AWSOpsWorksFullAccess
AWSOpsWorksCMServiceRole
AWSOpsWorksCMInstanceProfileRole
AWSOpsWorksCloudWatchLogs
AWSMobileHub_ReadOnly
AWSMobileHub_FullAccess
AWSMigrationHubSMSAccess
AWSMigrationHubFullAccess
AWSMigrationHubDMSAccess
AWSMigrationHubDiscoveryAccess
AWSMarketplaceRead-only
AWSMarketplaceMeteringFullAccess
AWSMarketplaceManageSubscriptions
AWSMarketplaceImageBuildFullAccess
AWSMarketplaceGetEntitlements
AWSMarketplaceFullAccess
AWSLambdaVPCAccessExecutionRole
AWSLambdaSQSQueueExecutionRole
AWSLambdaRole
AWSLambdaReplicator
AWSLambdaReadOnlyAccess
AWSLambdaKinesisExecutionRole
AWSLambdaInvocation-DynamoDB
AWSLambdaFullAccess
AWSLambdaExecute
AWSLambdaENIManagementAccess
AWSLambdaDynamoDBExecutionRole
AWSLambdaBasicExecutionRole
AWSKeyManagementServicePowerUser
AWSIoTThingsRegistration
AWSIoTRuleActions
AWSIoTOTAUpdate
AWSIoTLogging
AWSIoTFullAccess
AWSIoTDeviceDefenderAudit
AWSIoTDataAccess
AWSIoTConfigReadOnlyAccess
AWSIoTConfigAccess
AWSIoTAnalyticsReadOnlyAccess
AWSIoTAnalyticsFullAccess
AWSIoT1ClickReadOnlyAccess
AWSIoT1ClickFullAccess
AWSImportExportReadOnlyAccess
AWSImportExportFullAccess
AWSHealthFullAccess
AWSGreengrassResourceAccessRolePolicy
AWSGreengrassFullAccess
AWSGlueServiceRole
AWSGlueServiceNotebookRole
AWSGlueConsoleFullAccess
AWSFMMemberReadOnlyAccess
AWSFMAdminReadOnlyAccess
AWSFMAdminFullAccess
AWSEnhancedClassicNetworkingMangementPolicy
AWSElementalMediaStoreReadOnly
AWSElementalMediaStoreFullAccess
AWSElementalMediaPackageReadOnly
AWSElementalMediaPackageFullAccess
AWSElementalMediaConvertReadOnly
AWSElementalMediaConvertFullAccess
AWSElasticLoadBalancingServiceRolePolicy
AWSElasticLoadBalancingClassicServiceRolePolicy
AWSElasticBeanstalkWorkerTier
AWSElasticBeanstalkWebTier
AWSElasticBeanstalkServiceRolePolicy
AWSElasticBeanstalkService
AWSElasticBeanstalkReadOnlyAccess
AWSElasticBeanstalkMulticontainerDocker
AWSElasticBeanstalkFullAccess
AWSElasticBeanstalkEnhancedHealth
AWSElasticBeanstalkCustomPlatformforEC2Role
AWSEC2SpotServiceRolePolicy
AWSEC2SpotFleetServiceRolePolicy
AWSEC2FleetServiceRolePolicy
AWSDiscoveryContinuousExportFirehosePolicy
AWSDirectoryServiceReadOnlyAccess
AWSDirectoryServiceFullAccess
AWSDirectConnectReadOnlyAccess
AWSDirectConnectFullAccess
AWSDeviceFarmFullAccess
AWSDeepLensServiceRolePolicy
AWSDeepLensLambdaFunctionAccessPolicy
AWSDataPipelineRole
AWSDataPipeline_PowerUser
AWSDataPipeline_FullAccess
AWSDataLifecycleManagerServiceRole
AWSConnector
AWSConfigUserAccess
AWSConfigServiceRolePolicy
AWSConfigRulesExecutionRole
AWSConfigRoleForOrganizations
AWSConfigRole
AWSCodeStarServiceRole
AWSCodeStarFullAccess
AWSCodePipelineReadOnlyAccess
AWSCodePipelineFullAccess
AWSCodePipelineCustomActionAccess
AWSCodePipelineApproverAccess
AWSCodeDeployRoleForLambda
AWSCodeDeployRole
AWSCodeDeployReadOnlyAccess
AWSCodeDeployFullAccess
AWSCodeDeployDeployerAccess
AWSCodeCommitReadOnly
AWSCodeCommitPowerUser
AWSCodeCommitFullAccess
AWSCodeBuildReadOnlyAccess
AWSCodeBuildDeveloperAccess
AWSCodeBuildAdminAccess
AWSCloudTrailReadOnlyAccess
AWSCloudTrailFullAccess
AWSCloudHSMRole
AWSCloudHSMReadOnlyAccess
AWSCloudHSMFullAccess
AWSCloudFrontLogger
AWSCloudFormationReadOnlyAccess
AWSCloud9User
AWSCloud9ServiceRolePolicy
AWSCloud9EnvironmentMember
AWSCloud9Administrator
AWSCertificateManagerReadOnly
AWSCertificateManagerFullAccess
AWSBatchServiceRole
AWSBatchServiceEventTargetRole
AWSBatchFullAccess
AWSAutoScalingPlansEC2AutoScalingPolicy
AWSArtifactAccountSync
AWSAppSyncSchemaAuthor
AWSAppSyncPushToCloudWatchLogs
AWSAppSyncInvokeFullAccess
AWSAppSyncAdministrator
AWSApplicationDiscoveryServiceFullAccess
AWSApplicationDiscoveryAgentAccess
AWSApplicationAutoscalingSageMakerEndpointPolicy
AWSApplicationAutoscalingRDSClusterPolicy
AWSApplicationAutoscalingEMRInstanceGroupPolicy
AWSApplicationAutoscalingECSServicePolicy
AWSApplicationAutoscalingEC2SpotFleetRequestPolicy
AWSApplicationAutoscalingDynamoDBTablePolicy
AWSApplicationAutoScalingCustomResourcePolicy
AWSApplicationAutoscalingAppStreamFleetPolicy
AWSAgentlessDiscoveryService
AWSAccountUsageReportAccess
AWSAccountActivityAccess
AutoScalingServiceRolePolicy
AutoScalingReadOnlyAccess
AutoScalingNotificationAccessRole
AutoScalingFullAccess
AutoScalingConsoleReadOnlyAccess
AutoScalingConsoleFullAccess
ApplicationDiscoveryServiceContinuousExportServiceRolePolicy
ApplicationAutoScalingForAmazonAppStreamAccess
APIGatewayServiceRolePolicy
AmazonZocaloReadOnlyAccess
AmazonZocaloFullAccess
AmazonWorkSpacesApplicationManagerAdminAccess
AmazonWorkSpacesAdmin
AmazonWorkMailReadOnlyAccess
AmazonWorkMailFullAccess
AmazonVPCReadOnlyAccess
AmazonVPCFullAccess
AmazonVPCCrossAccountNetworkInterfaceOperations
AmazonTranscribeReadOnlyAccess
AmazonTranscribeFullAccess
AmazonSumerianFullAccess
AmazonSSMServiceRolePolicy
AmazonSSMReadOnlyAccess
AmazonSSMMaintenanceWindowRole
AmazonSSMFullAccess
AmazonSSMAutomationRole
AmazonSSMAutomationApproverAccess
AmazonSQSReadOnlyAccess
AmazonSQSFullAccess
AmazonSNSRole
AmazonSNSReadOnlyAccess
AmazonSNSFullAccess
AmazonSESReadOnlyAccess
AmazonSESFullAccess
AmazonSageMakerReadOnly
AmazonSageMakerFullAccess
AmazonS3ReadOnlyAccess
AmazonS3FullAccess
AmazonRoute53ReadOnlyAccess
AmazonRoute53FullAccess
AmazonRoute53DomainsReadOnlyAccess
AmazonRoute53DomainsFullAccess
AmazonRoute53AutoNamingRegistrantAccess
AmazonRoute53AutoNamingReadOnlyAccess
AmazonRoute53AutoNamingFullAccess
AmazonRekognitionServiceRole
AmazonRekognitionReadOnlyAccess
AmazonRekognitionFullAccess
AmazonRedshiftServiceLinkedRolePolicy
AmazonRedshiftReadOnlyAccess
AmazonRedshiftFullAccess
AmazonRDSServiceRolePolicy
AmazonRDSReadOnlyAccess
AmazonRDSPreviewServiceRolePolicy
AmazonRDSFullAccess
AmazonRDSEnhancedMonitoringRole
AmazonRDSDirectoryServiceAccess
AmazonRDSBetaServiceRolePolicy
AmazonPollyReadOnlyAccess
AmazonPollyFullAccess
AmazonMQReadOnlyAccess
AmazonMQFullAccess
AmazonMobileAnalyticsWriteOnlyAccess
AmazonMobileAnalyticsNon-financialReportAccess
AmazonMobileAnalyticsFullAccess
AmazonMobileAnalyticsFinancialReportAccess
AmazonMechanicalTurkReadOnly
AmazonMechanicalTurkFullAccess
AmazonMechanicalTurkCrowdReadOnlyAccess
AmazonMechanicalTurkCrowdFullAccess
AmazonMacieSetupRole
AmazonMacieServiceRolePolicy
AmazonMacieServiceRole
AmazonMacieHandshakeRole
AmazonMacieFullAccess
AmazonMachineLearningRoleforRedshiftDataSource
AmazonMachineLearningRealTimePredictionOnlyAccess
AmazonMachineLearningReadOnlyAccess
AmazonMachineLearningManageRealTimeEndpointOnlyAccess
AmazonMachineLearningFullAccess
AmazonMachineLearningCreateOnlyAccess
AmazonMachineLearningBatchPredictionsAccess
AmazonLexRunBotsOnly
AmazonLexReadOnly
AmazonLexFullAccess
AmazonKinesisVideoStreamsReadOnlyAccess
AmazonKinesisVideoStreamsFullAccess
AmazonKinesisReadOnlyAccess
AmazonKinesisFullAccess
AmazonKinesisFirehoseReadOnlyAccess
AmazonKinesisFirehoseFullAccess
AmazonKinesisAnalyticsReadOnly
AmazonKinesisAnalyticsFullAccess
AmazonInspectorServiceRolePolicy
AmazonInspectorReadOnlyAccess
AmazonInspectorFullAccess
AmazonGuardDutyServiceRolePolicy
AmazonGuardDutyReadOnlyAccess
AmazonGuardDutyFullAccess
AmazonGlacierReadOnlyAccess
AmazonGlacierFullAccess
AmazonFreeRTOSFullAccess
AmazonESReadOnlyAccess
AmazonESFullAccess
AmazonESCognitoAccess
AmazonEMRCleanupPolicy
AmazonElasticTranscoderRole
AmazonElasticTranscoder_ReadOnlyAccess
AmazonElasticTranscoder_JobsSubmitter
AmazonElasticTranscoder_FullAccess
AmazonElasticsearchServiceRolePolicy
AmazonElasticMapReduceRole
AmazonElasticMapReduceReadOnlyAccess
AmazonElasticMapReduceFullAccess
AmazonElasticMapReduceforEC2Role
AmazonElasticMapReduceforAutoScalingRole
AmazonElasticFileSystemReadOnlyAccess
AmazonElasticFileSystemFullAccess
AmazonElastiCacheReadOnlyAccess
AmazonElastiCacheFullAccess
AmazonEKSWorkerNodePolicy
AmazonEKSServicePolicy
AmazonEKSClusterPolicy
AmazonEKS_CNI_Policy
AmazonECSTaskExecutionRolePolicy
AmazonECSServiceRolePolicy
AmazonECS_FullAccess
AmazonEC2SpotFleetTaggingRole
AmazonEC2SpotFleetRole
AmazonEC2SpotFleetAutoscaleRole
AmazonEC2RoleforSSM
AmazonEC2RoleforDataPipelineRole
AmazonEC2RoleforAWSCodeDeploy
AmazonEC2ReportsAccess
AmazonEC2ReadOnlyAccess
AmazonEC2FullAccess
AmazonEC2ContainerServiceRole
AmazonEC2ContainerServiceFullAccess
AmazonEC2ContainerServiceforEC2Role
AmazonEC2ContainerServiceEventsRole
AmazonEC2ContainerServiceAutoscaleRole
AmazonEC2ContainerRegistryReadOnly
AmazonEC2ContainerRegistryPowerUser
AmazonEC2ContainerRegistryFullAccess
AmazonDynamoDBReadOnlyAccess
AmazonDynamoDBFullAccesswithDataPipeline
AmazonDynamoDBFullAccess
AmazonDRSVPCManagement
AmazonDMSVPCManagementRole
AmazonDMSRedshiftS3Role
AmazonDMSCloudWatchLogsRole
AmazonCognitoReadOnly
AmazonCognitoPowerUser
AmazonCognitoDeveloperAuthenticatedIdentities
AmazonCloudDirectoryReadOnlyAccess
AmazonCloudDirectoryFullAccess
AmazonChimeUserManagement
AmazonChimeReadOnly
AmazonChimeFullAccess
AmazonAthenaFullAccess
AmazonAppStreamServiceAccess
AmazonAppStreamReadOnlyAccess
AmazonAppStreamFullAccess
AmazonAPIGatewayPushToCloudWatchLogs
AmazonAPIGatewayInvokeFullAccess
AmazonAPIGatewayAdministrator
AlexaForBusinessReadOnlyAccess
AlexaForBusinessGatewayExecution
AlexaForBusinessFullAccess
AlexaForBusinessDeviceSetup

[fiunchinho]

hey @christopherhein ! What do you mean with

This should be a cluster-wide resource, as well when they use a standard policy name it should use aws as the account id in the arn.

Does it mean that the IAM Role Resource should be created in a shared namespace instead of the same namespace where the application is running? We are currently creating AWS resources using other tools and we are considering moving into this operator. Our current setup creates an IAM Role for every single application. This IAM Role contains the IAM Policies required by the application, like access to the application's S3 bucket, application's KMS keys and so on. Thanks!

[christopherhein]

The idea here is in AWS IAM Roles and Policies are treated at the global namespace meaning they are shared across regions, in Kubernetes and AWS we have the concept of namespaces but then we also have cluster wide components like cluster-roles this is delineated in the CRD using the scope attribute with the Operator right now the code generator doesn't support changing from Namespaced to Cluster but it should be an easy addition. That's what that is referring to. The Roles will be in the global namespace and then your application would reference them using something like kube2iam

[fiunchinho]

We'd need to reference other AWS resources created by this operator like S3 buckets, in the Policies that would be attached to the IAM Role for the application. If we want to programatically create this policies, maybe we should label the AWS resources created in the Kubernetes API with the application name, try to filter using the label and take the output field from those resources to use them in the Policy, right?

[christopherhein]

That wasn't my initial thought, how I'd originally envisioned and started prototyping this was using #58 for the policies, treating them more like we treat ClusterRoles and Bindings it makes it more declarative and easier to track changes, everything is self-documented for a specific policy, you can change that policy without having to reapply a pod manifest, and also from an implementation reduces the amount of custom work that needs to be done.

So if you check out the example:

apiVersion: operator.aws/v1alpha1
kind: IAMRole
metadata:
  name: aws-operator
spec:
  policies:
  - aws-operator
  - AdministratorAccess

the keys under spec.policies is a list of strings and those strings (besides the whitelisted names, which are defaults in your AWS account) those would reference a named policy that would be built from another CRD in #58.

Note: with #58, I'm still very WIP about how those would be defined and modeled given how the standard IAM policies are encoded in json.

[fiunchinho]

I see. But do you think this would make sense?

apiVersion: operator.aws/v1alpha1
kind: IAMRole
metadata:
  name: my-awesome-app
spec:
  policies:
  - my-awesome-app-kms
  - my-awesome-app-s3

This role would be used by my-awesome-app to access its own s3 bucket and to encrypt/decrypt using its own KMS key. This way, only my-awesome-app is allowed to use these resources, and every application has their own AWS resources and policies that allow access to them.

Normally, we don't share AWS resources like databases, S3 buckets or KMS keys between applications. That's why we'd like to limit the access to the application.

[christopherhein]

I would love more feedback on this but I don't think the solution outlined precludes what you are saying actually. It just models the resources similar to the way the AWS IAM is modeled being a global service… if you make a policy or role it's accessible to region A and region B.

The way it is structured in that sample manifest allows you to use of all policies including the standard policies in every AWS Account, (the whitelist) from within the role and they get backed up to individual policies outside of the role. This enables but doesn't force other roles to use that same policy. An example of this could be two applications that need write capability to an SQS queue, you could write the policy once and reference it in the two separate roles one for each application.

What we lose by structuring it this way is inline policies, is this a deal breaker? Given that the operator is creating and managing those resources for you, you likely won't need to do anything in the console to make this happen.

To give a more clear example if you had a role/policy that needed write access to SQS and you could write a single file that looked like this:

---
apiVersion: service-operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: foo-app-sqs-policy
spec:
  sqs:
    write:
    - SendMessage
    resource:
    - arn:aws:sqs:*:123456789012:foo-app
---
apiVersion: service-operator.aws/v1alpha1
kind: IAMRole
metadata:
  name: foo-app-role
spec:
  policies:
  - foo-app-sqs-policy

Then if later in development you need to mutate the role and give it read-only S3 access you can simply mutate the spec.policies list and add AmazonS3ReadOnlyAccess being a whitelisted policy.

Doesn't that help? Concerns?

[sepulworld]

I like the separation of concerns with kind: IAMPolicy and kind: IAMRole

[Avolynsk]

Hello @christopherhein ! Any updates about creating IAM resources with aws-service-operator? I would like to try it.

[christopherhein]

Hey @Avolynsk I don't as of now. I've been working on the build out of #153 which will encompass it but it's still a bit out. Is this something you need ASAP?

[Avolynsk]

Yeah, managing IAM resources is a hot issue for me at the moment.

[hmcmanus]

Hey @christopherhein, any movement on the code gen part of this project? I'm pretty interesting getting the IAM into the operator and would like to help if needed. I'm a noob to operators and Go but happy to give it a shot if you're open to it.

Let me know where it's at and where I can help, if at all.