Create Policy and Role in AWS IAM
AWS IAM stands for Identity and Access Management. It lets us attach finely-grained permissions to AWS resources and users. We can provision and control the access and usage of AWS resources by IAM. Attaching ‘roles’ to other AWS services and users is one of the ways to achieve this.
Let’s see the steps of creating a role that gives administrator-level access of DynamoDB to Lambda.
- Search for ‘IAM’ in services and click ‘IAM’ in search results. AWS IAM dashboard will open.
2. Click on ‘Roles’ on the left side. A list of existing roles will appear. Click on the ‘Create role’ button. A role creation wizard will appear.
3. Step 1: Specify the entity to which the role will be assigned (like AWS Service/AWS Account/Web Identity). Let us choose ‘AWS Service’ as ‘Trusted Entity’ and ‘Lambda’ as ‘use case’. Click on ‘Next’.
4. Step 2: Now, a policy needs to be created. It can be done manually or can be chosen from a list of pre-existing policies. Let’s start with one of the pre-existing policies.
Here, we wish to access DynamoDB (via Lambda functions). Search for ‘DynamoDB’ and choose ‘AmazonDynamoDBFullAccess’ policy. Click on ‘Next’.
5. Step 3: Assign a name to the role and click on the ‘Create role’ button.
6. The new role with the name ‘medium-demo-role’ will get created and will appear in the Roles list.
Create a Policy in AWS IAM
- Click on ‘Policies’ on the right side of the IAM Dashboard. A list of pre-existing and manually created policies will appear.
- Click on the ‘Create Policy’ button. Create Policy wizard will appear.
3. Step 1: Select a service. Here, we will search and choose DynamoDB.
4. Step 2: Select the actions you want to permit in this policy (GetItem, Query, Scan, UpdateItem, DeleteItem, etc).
5. Step 3: Select the AWS Resource we want to access by this policy. It can either be any specific resource like tables of DynamoDB or could be all AWS resources. Here we’ll go with the DynamoDB tables.
6. Step 4: (optional) Lastly you can specify conditions over the request origin. MFA (Multi-factor Authentication) can be made a compulsion for this policy or a source IP can be specified.
Permissions for more services can be easily appended in the policy. Click on ‘Add additional permissions’ and continue with the above steps to add permissions for other services.
After configuring permissions for all the required services. Click on ‘Next: Tags’.
7. (optional) Specify the tags for this policy.
8. Give a name to this policy (‘medium-demo-policy’) and click on the ‘Create Policy’ button.
The newly created policy ‘medium-demo-policy’ will appear in the Policies list.
This policy can now be assigned to IAM roles and resources. Visit the page to understand IAM policies in detail.