search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
558 stars 446 forks source link

Document how to add "job-function" managed iam policies to roles #256

Open atheiman opened 1 year ago

atheiman commented 1 year ago

Is your feature request related to a problem? Please describe. We had to go thru trial and error to add "Billing" managed iam policy to a role via roleSets. First we tried adding awsManaged: Billing, then the arn awsManaged: arn:aws:blah:blah:policy/aws/job-function/Billing (i know the arn is incorrect), and finally got it to work with job-function/Billing. This should be documented here: https://awslabs.github.io/landing-zone-accelerator-on-aws/classes/_aws_accelerator_config.PoliciesConfig.html#awsManaged or included in more examples. AWS recommends using these job function managed policies.

bakharzy commented 1 year ago

Hi @atheiman , thanks for sharing this. For me this job function worked:

policies:
 awsManaged:
 - AdministratorAccess

Actually I checked the ARNs for job function policies. Some have job-function in the ARN and some don't!!! There is inconsistency. arn:aws:iam::aws:policy/AdministratorAccess arn:aws:iam::aws:policy/job-function/DataScientist arn:aws:iam::aws:policy/job-function/ViewOnlyAccess arn:aws:iam::aws:policy/ReadOnlyAccess arn:aws:iam::aws:policy/job-function/Billing