How to limit the permissions AWS IAM RoleA can grant to a role (Role B) it createsHow can I give an AWS IAM user permissions to manage his own security credentials?Is it possible to restrict AWS users/accounts to a specific region?directorylevel permission through amazon IAMHow can I chain AWS IAM AssumeRole API calls?How to get full access to add services in AWS consoleIAM role switching on an EC2 host without using “source_profile”How can I deploy a large application to Lambda using Serverless, bypassing or not reacking CloudFormation resource limitAllow other AWS services to invoke Lambda using IAMWhy does AWS Lambda need to pass ecsTaskExecutionRole to ECS taskShare IAM Policy across accounts in Organizations
How to get the IP of a user who executed a command?
Electric kick drum pedal starts oscillating in such a way that it does not register hits
How to select certain lines (n, n+4, n+8, n+12...) from the file?
Watching the game, having a puzzle
Is there any evidence to support the claim that the United States was "suckered into WW1" by Zionists, made by Benjamin Freedman in his 1961 speech
Which other programming languages apart from Python and predecessor are out there using indentation to define code blocks?
Why do unstable nuclei form?
Pre-1993 comic in which Wolverine's claws were turned to rubber?
The concept of information structure in incomplete information games
How do I compare the result of "1d20+x, with advantage" to "1d20+y, without advantage", assuming x < y?
Why use steam instead of just hot air?
Is it a good idea to copy a trader when investing?
Succinct and gender-neutral Russian word for "writer"
How are one-time password generators like Google Authenticator different from having two passwords?
Why does it take longer to fly from London to Xi'an than to Beijing
Is it nonsense to say B > [A > B]?
How to make a language evolve quickly?
What do "KAL." and "A.S." stand for in this inscription?
Why are parallelograms defined as quadrilaterals? What term would encompass polygons with greater than two parallel pairs?
Company stopped paying my salary. What are my options?
is it permitted to swallow spit on a fast day?
Why do Thanos' punches not kill Captain America or at least cause vital wounds?
Renting a house to a graduate student in my department
Why did Captain America age?
How to limit the permissions AWS IAM RoleA can grant to a role (Role B) it creates
How can I give an AWS IAM user permissions to manage his own security credentials?Is it possible to restrict AWS users/accounts to a specific region?directorylevel permission through amazon IAMHow can I chain AWS IAM AssumeRole API calls?How to get full access to add services in AWS consoleIAM role switching on an EC2 host without using “source_profile”How can I deploy a large application to Lambda using Serverless, bypassing or not reacking CloudFormation resource limitAllow other AWS services to invoke Lambda using IAMWhy does AWS Lambda need to pass ecsTaskExecutionRole to ECS taskShare IAM Policy across accounts in Organizations
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
In order to allow my developers to use the Serverless Framework to deploy new AWS Lambda functions, they have to be able to create roles. I'd like to give them permissions to create roles that can only do a limited number of things. For example s3:, dynamodb:, cloudfront:Update*
But I don't want them (RoleA) to be able to create roles (RoleB) that can do anything with EC2, IAM, etc. How might you limit this permission?
amazon-web-services permissions amazon-iam
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
add a comment |
In order to allow my developers to use the Serverless Framework to deploy new AWS Lambda functions, they have to be able to create roles. I'd like to give them permissions to create roles that can only do a limited number of things. For example s3:, dynamodb:, cloudfront:Update*
But I don't want them (RoleA) to be able to create roles (RoleB) that can do anything with EC2, IAM, etc. How might you limit this permission?
amazon-web-services permissions amazon-iam
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
add a comment |
In order to allow my developers to use the Serverless Framework to deploy new AWS Lambda functions, they have to be able to create roles. I'd like to give them permissions to create roles that can only do a limited number of things. For example s3:, dynamodb:, cloudfront:Update*
But I don't want them (RoleA) to be able to create roles (RoleB) that can do anything with EC2, IAM, etc. How might you limit this permission?
amazon-web-services permissions amazon-iam
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
In order to allow my developers to use the Serverless Framework to deploy new AWS Lambda functions, they have to be able to create roles. I'd like to give them permissions to create roles that can only do a limited number of things. For example s3:, dynamodb:, cloudfront:Update*
But I don't want them (RoleA) to be able to create roles (RoleB) that can do anything with EC2, IAM, etc. How might you limit this permission?
amazon-web-services permissions amazon-iam
amazon-web-services permissions amazon-iam
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
asked Apr 30 at 17:45
Bruno BronoskyBruno Bronosky
3,78121627
3,78121627
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I also had the same problem; the only solution I found was to create the role to be used with Lambdas before they actually made the deployment, and provide them the Role ARN to be passed to Serverless for the Lambda deployment.
In this way, they always used the same role(s) I gave them, and on the roles I attached custom policies with only the required permission for the Lambdas to work.
You only need to grant their user permission to list and attach roles if I remember correctly, instead of the CreateRole one.
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965306%2fhow-to-limit-the-permissions-aws-iam-rolea-can-grant-to-a-role-role-b-it-creat%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I also had the same problem; the only solution I found was to create the role to be used with Lambdas before they actually made the deployment, and provide them the Role ARN to be passed to Serverless for the Lambda deployment.
In this way, they always used the same role(s) I gave them, and on the roles I attached custom policies with only the required permission for the Lambdas to work.
You only need to grant their user permission to list and attach roles if I remember correctly, instead of the CreateRole one.
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
add a comment |
I also had the same problem; the only solution I found was to create the role to be used with Lambdas before they actually made the deployment, and provide them the Role ARN to be passed to Serverless for the Lambda deployment.
In this way, they always used the same role(s) I gave them, and on the roles I attached custom policies with only the required permission for the Lambdas to work.
You only need to grant their user permission to list and attach roles if I remember correctly, instead of the CreateRole one.
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
add a comment |
I also had the same problem; the only solution I found was to create the role to be used with Lambdas before they actually made the deployment, and provide them the Role ARN to be passed to Serverless for the Lambda deployment.
In this way, they always used the same role(s) I gave them, and on the roles I attached custom policies with only the required permission for the Lambdas to work.
You only need to grant their user permission to list and attach roles if I remember correctly, instead of the CreateRole one.
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
I also had the same problem; the only solution I found was to create the role to be used with Lambdas before they actually made the deployment, and provide them the Role ARN to be passed to Serverless for the Lambda deployment.
In this way, they always used the same role(s) I gave them, and on the roles I attached custom policies with only the required permission for the Lambdas to work.
You only need to grant their user permission to list and attach roles if I remember correctly, instead of the CreateRole one.
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
answered May 3 at 8:34
Lorenz_DRLorenz_DR
263
263
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
add a comment |
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace.
– Bruno Bronosky
May 3 at 8:57
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline
– Lorenz_DR
2 days ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965306%2fhow-to-limit-the-permissions-aws-iam-rolea-can-grant-to-a-role-role-b-it-creat%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
