Create IAM Policy Resource

[christopherhein]

This will allow you to create an IAM Policy that you can reference from an IAM Role, giving you the ability to give out specific permissions to every role.

Long term when you build a syncing tool, use this to load existing policies in IAM that way they can be referenced via the Roles OR use the same naming scheme to allow you to use any standard policy name.

apiVersion: operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: aws-operator
spec:
  dynamodb:
    list:
    - ListBackups
    - ListGlobalTables
    - ListTables
    read:
    - BatchGetItem
    - DescribeBackup
    - DescribeContinuousBackups
    - DescribeGlobalTable
    - DescribeGlobalTableSettings
    - DescribeLimits
    - DescribeReservedCapacity
    - DescribeReservedCapacityOfferings
    - DescribeStream
    - DescribeTable
    - DescribeTimeToLive
    - GetItem
    - GetRecords
    - GetShardIterator
    - ListStreams
    - ListTagsOfResource
    - Query
    - Scan
    write:
    - BatchWriteItem
    - CreateBackup
    - CreateGlobalTable
    - CreateTable
    - DeleteBackup
    - DeleteItem
    - DeleteTable
    - PurchaseReservedCapacityOfferings
    - PutItem
    - RestoreTableFromBackup
    - RestoreTableToPointInTime
    - TagResource
    - UntagResource
    - UpdateContinuousBackups
    - UpdateGlobalTable
    - UpdateGlobalTableSettings
    - UpdateItem
    - UpdateTable
    - UpdateTimeToLive
    # ...

[sepulworld]

I'm not sure I understand where you are going with example provided. Wouldn't it make sense to have 'actions' and 'resources' as spec values?

apiVersion: operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: app-foo-dynamodb-access
spec:
  actions:
  - dynamodb:*
  resources:
  - arn:aws:dynamodb:us-east-2:123456789012:table/app-foo-*

[christopherhein]

I'm not sure I understand where you are going with example provided. Wouldn't it make sense to have 'actions' and 'resources' as spec values?

apiVersion: operator.aws/v1alpha1
kind: IAMPolicy
metadata:
  name: app-foo-dynamodb-access
spec:
  actions:
  - dynamodb:*
  resources:
  - arn:aws:dynamodb:us-east-2:123456789012:table/app-foo-*

Definitely, this will be really useful and I have some ideas around the resources, I'm trying to design a better strategy for referencing resources similar to how k8s core does with configmaps and secrets I could image this being something like:

- arn: {arn} # or arn with wildcards
  resourceRef: # optional if you'd like to reference a Kubernetes managed AWS Resource
    name: {name}
    namespace: {namespace}

[micahlmartin]

Wanted to checkin and see if any more progress has been made on the design of this. I'm curious how you would address assume role and inline policies.