search

yuvipanda / aws-codecommit-secret

Terraform code to set up secure secrets storage with codecommit+kms
Apache License 2.0
0 stars 3 forks source link

Mete out access with IAM group allowed to assume role #1

Open super-cob opened 4 years ago

super-cob commented 4 years ago

This follows the AWS best practice https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

    Instead of defining permissions for individual IAM users, create groups and define the relevant permissions for each group as per the job function, and then associate IAM users to those groups.
    Users in an IAM group inherit the permissions assigned to the group and a User can belong to multiple groups
    It is much easier to add new users, remove users and modify the permissions of a group of users.
yuvipanda commented 4 years ago

I thought this would be as easy as specifying a group as a principal, but no that isn't actually supported. You've to do something slightly ridiculous like https://stackoverflow.com/questions/34922920/how-can-i-allow-a-group-to-assume-a-role