タダです.
IAM Identity Center(旧 AWS SSO)でカスタムポリシーを Terraform で設定したので備忘録でこの記事にまとめます.
Terraform のコード
読み取り権限として ViewOnlyAccess ポリシーがサービス的に用意されているのですが,このポリシーに追加したいと思い,いじってみました.そのコードが下記のものになります.aws_iam_policy_document で指定している source_policy_documents がベースは ViewOnllyAccess にしつつ追加のポリシーを生成している部分です.
data "aws_ssoadmin_instances" "private" {} data "aws_iam_policy" "viewonly" { arn = "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" } data "aws_iam_policy_document" "viewonly_custom_policy" { source_policy_documents = [data.aws_iam_policy.viewonly.policy] statement { actions = [ "s3:Get*", "s3:List*" ] resources = ["*"] } } resource "aws_ssoadmin_permission_set" "private" { name = "private" instance_arn = tolist(data.aws_ssoadmin_instances.private.arns)[0] session_duration = "PT1H" } resource "aws_ssoadmin_permission_set_inline_policy" "custom_policy" { instance_arn = tolist(data.aws_ssoadmin_instances.private.arns)[0] inline_policy = data.aws_iam_policy_document.viewonly_custom_policy.json permission_set_arn = aws_ssoadmin_permission_set.private.arn }
参考ドキュメント
registry.terraform.io registry.terraform.io
生成されたポリシー
terraform apply を実行したときのポリシーです.前半のセクションが ViewOnlyAccess のポリシーで後半が aws_iam_policy_document で指定したものです.期待通り追加のポリシーを追加できました.このポリシーをアカウント指定してプロビジョニングすれば設定が反映されます.
{ "Statement": [ { "Action": [ "acm:ListCertificates", "athena:List*", "autoscaling:Describe*", "aws-marketplace:ViewSubscriptions", "batch:ListJobs", "clouddirectory:ListAppliedSchemaArns", "clouddirectory:ListDevelopmentSchemaArns", "clouddirectory:ListDirectories", "clouddirectory:ListPublishedSchemaArns", "cloudformation:DescribeStacks", "cloudformation:List*", "cloudfront:List*", "cloudhsm:ListAvailableZones", "cloudhsm:ListHapgs", "cloudhsm:ListHsms", "cloudhsm:ListLunaClients", "cloudsearch:DescribeDomains", "cloudsearch:List*", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudwatch:Get*", "cloudwatch:List*", "codebuild:ListBuilds*", "codebuild:ListProjects", "codecommit:List*", "codedeploy:Get*", "codedeploy:List*", "codepipeline:ListPipelines", "codestar:List*", "cognito-identity:ListIdentities", "cognito-identity:ListIdentityPools", "cognito-idp:List*", "cognito-sync:ListDatasets", "config:Describe*", "config:List*", "connect:List*", "comprehend:Describe*", "comprehend:List*", "datapipeline:DescribePipelines", "datapipeline:GetAccountLimits", "datapipeline:ListPipelines", "dax:DescribeClusters", "dax:DescribeDefaultParameters", "dax:DescribeEvents", "dax:DescribeParameterGroups", "dax:DescribeParameters", "dax:DescribeSubnetGroups", "dax:ListTags", "devicefarm:List*", "directconnect:Describe*", "discovery:List*", "dms:List*", "ds:DescribeDirectories", "dynamodb:DescribeBackup", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeGlobalTableSettings", "dynamodb:DescribeLimits", "dynamodb:DescribeReservedCapacity", "dynamodb:DescribeReservedCapacityOfferings", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:DescribeTimeToLive", "dynamodb:ListBackups", "dynamodb:ListGlobalTables", "dynamodb:ListStreams", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeBundleTasks", "ec2:DescribeCarrierGateways", "ec2:DescribeClassicLinkInstances", "ec2:DescribeConversionTasks", "ec2:DescribeCustomerGateways", "ec2:DescribeDhcpOptions", "ec2:DescribeExportTasks", "ec2:DescribeFlowLogs", "ec2:DescribeHost*", "ec2:DescribeIdFormat", "ec2:DescribeIdentityIdFormat", "ec2:DescribeImage*", "ec2:DescribeImport*", "ec2:DescribeInstance*", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", "ec2:DescribeLocalGatewayRouteTableVpcAssociations", "ec2:DescribeLocalGatewayRouteTables", "ec2:DescribeLocalGatewayVirtualInterfaceGroups", "ec2:DescribeLocalGatewayVirtualInterfaces", "ec2:DescribeLocalGateways", "ec2:DescribeMovingAddresses", "ec2:DescribeNatGateways", "ec2:DescribeNetwork*", "ec2:DescribePlacementGroups", "ec2:DescribePrefixLists", "ec2:DescribeRegions", "ec2:DescribeReserved*", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshot*", "ec2:DescribeSpot*", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolume*", "ec2:DescribeVpc*", "ec2:DescribeVpnGateways", "ec2:SearchLocalGatewayRoutes", "ecr:DescribeRepositories", "ecr:ListImages", "ecs:Describe*", "ecs:List*", "elastic-inference:DescribeAccelerators", "elastic-inference:DescribeAcceleratorTypes", "elastic-inference:DescribeAcceleratorOfferings", "elastic-inference:ListTagsForResource", "elasticache:Describe*", "elasticbeanstalk:DescribeApplicationVersions", "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeEnvironments", "elasticbeanstalk:ListAvailableSolutionStacks", "elasticfilesystem:DescribeFileSystems", "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:List*", "elastictranscoder:List*", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:ListDomainNames", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTargetsByRule", "firehose:DescribeDeliveryStream", "firehose:List*", "fsx:DescribeFileSystems", "gamelift:List*", "glacier:List*", "greengrass:List*", "iam:GetAccountSummary", "iam:GetLoginProfile", "iam:List*", "importexport:ListJobs", "inspector:List*", "iot:List*", "kinesis:ListStreams", "kinesisanalytics:ListApplications", "kms:ListKeys", "lambda:List*", "lex:GetBotAliases", "lex:GetBotChannelAssociations", "lex:GetBotVersions", "lex:GetBots", "lex:GetIntentVersions", "lex:GetIntents", "lex:GetSlotTypeVersions", "lex:GetSlotTypes", "lex:GetUtterancesView", "lightsail:GetBlueprints", "lightsail:GetBundles", "lightsail:GetInstanceSnapshots", "lightsail:GetInstances", "lightsail:GetKeyPair", "lightsail:GetRegions", "lightsail:GetStaticIps", "lightsail:IsVpcPeered", "logs:Describe*", "lookoutvision:ListModelPackagingJobs", "lookoutvision:ListModels", "lookoutvision:ListProjects", "machinelearning:Describe*", "mediaconnect:ListEntitlements", "mediaconnect:ListFlows", "mediaconnect:ListOfferings", "mediaconnect:ListReservations", "mobilehub:ListAvailableFeatures", "mobilehub:ListAvailableRegions", "mobilehub:ListProjects", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetCampaigns", "mobiletargeting:GetImportJobs", "mobiletargeting:GetSegments", "opsworks-cm:Describe*", "opsworks:Describe*", "organizations:List*", "outposts:GetOutpost", "outposts:GetOutpostInstanceTypes", "outposts:ListOutposts", "outposts:ListSites", "outposts:ListTagsForResource", "polly:Describe*", "polly:List*", "rds:Describe*", "redshift:DescribeClusters", "redshift:DescribeEvents", "redshift:ViewQueriesInConsole", "route53:Get*", "route53:List*", "route53domains:List*", "route53resolver:Get*", "route53resolver:List*", "s3:ListAllMyBuckets", "s3:ListBucket", "sagemaker:Describe*", "sagemaker:List*", "sdb:List*", "servicecatalog:List*", "ses:List*", "shield:List*", "sns:List*", "sqs:ListQueues", "ssm:ListAssociations", "ssm:ListDocuments", "states:ListActivities", "states:ListStateMachines", "storagegateway:ListGateways", "storagegateway:ListLocalDisks", "storagegateway:ListVolumeRecoveryPoints", "storagegateway:ListVolumes", "swf:List*", "trustedadvisor:Describe*", "waf-regional:List*", "waf:List*", "wafv2:List*", "workdocs:DescribeAvailableDirectories", "workdocs:DescribeInstances", "workmail:Describe*", "workspaces:Describe*" ], "Effect": "Allow", "Resource": "*", "Sid": "" }, { "Action": [ "s3:List*", "s3:Get*" ], "Effect": "Allow", "Resource": "*", "Sid": "" } ], "Version": "2012-10-17" }
まとめ
今回 IAM Identity Center の追加で権限を追加したときの対応をまとめました.個人的に source_policy_documents オプションがすごく便利だなと感じた体験でした.
