Set up AWS role and policy for Yarkon Admin Console

For the Yarkon Admin Console instance to be able to access S3 and other AWS services, it has to be authenticated and authorized. The proper way to handle these for an EC2 instance is to assign a Role to the instance. This role will have the Policy defining the permissions granted to the instance attached to it. These permissions should allow the server to perform the set of actions needed.

Create a role

Use the IAM service to create the role.

Note about naming conventions – you can use whichever naming convention you already defined for your organization; in this example we use the naming convention we follow, but it is not a requirement.

From the left side sidebar, choose Roles, then do Create Role. For the role type, choose AWS service, and from the list select Data Pipeline for the service that would be using this role. Lastly, choose EC2 Role for Data Pipeline for the use case. All these provide access to S3. Continue to the next step, Permissions.

It is possible to use more specific (limited) access permissions, but it will require cherry-picking of the specific permissions. We choose the pre-defined role here for convenience. Click the Review button to get to the final step.

For the role name, we use yarkons3-console-role. Put some descriptive comment in the “Description” field, and click the Create Role button to complete the process.

Add Policy for AWS Services

In addition to accessing S3, the Yarkon Admin Console application must have access to few other AWS services. To implement that, we need to add one more policy and attach it to the role. Note that most of these actions are required to support the Integrated Security Model, but even if you intend to use the Shared Security Model, it is best to add the policy as-is, in case you want to change it later. For more see Security Models.

From the left sidebar, choose Policies, then click the “Create Policy” button. In the Create Policy form now displayed, choose the Create Your Own Policy option.

The process will move to the third step, Review Policy. Here you actually create the policy and grant the permissions.

Use the following template to create the policy; make sure to put your account number in the designated locations, and to use the same name you chose for the role as the resource.

Click the “Create Policy” button when you are done.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListGroupPolicies",
                "iam:ListAttachedGroupPolicies",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:GetUserPolicy",
                "iam:GetGroupPolicy",
                "iam:GetRolePolicy",
                "iam:GetPolicy",
                "iam:GetPolicyVersion"
            ],
            "Resource": "arn:aws:iam::<account-number>:*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<account-number>:role/yarkons3-console-role"
        }
    ]
}

Policy explained

The following actions are required:

  • iam:ListRoles – Show the administrator a list of roles to choose from.
  • iam:GetPolicy – Used to get the policy document.
  • iam:GetPolicyVersion – Used to get the current policy document.
  • sts:AssumeRole – Required for provisioning the temporary credentials.

These actions are optional, and depend on how you defined your AWS organization security policies:

  • iam:ListUserPolicies – Used to get managed policies at the user level.
  • iam:ListAttachedUserPolicies – Used to get attached policies at the user level.
  • iam:GetUserPolicy – Used to get inline user policy document.
  • iam:ListGroupsForUser – Used to get the groups a user belongs to.
  • iam:ListAttachedGroupPolicies – Used to get attached policies at the group level.
  • iam:GetGroupPolicy – Used to get inline group policy document.
  • iam:ListRolePolicies – Used to get managed policies at the role level.
  • iam:ListAttachedRolePolicies – Used to get attached policies at the role level.
  • iam:GetRolePolicy – Used to get inline role policy document.

All these actions are Read-Only, so the Yarkon server would not be able to make any changes to your AWS account. In case you are unsure which optional actions to add to the server role policy, add them all. None of these actions will ever be available to an end-user, only the server can use them.

Attach the New Policy to the Role

Next we have to attach this newly created policy to the role.

Follow these steps to attach the policy to the role:

  1. From the Roles screen, click on the role just created (in this guide, it is named yarkons3-console-role).
  2. Using the first tab, named Permissions, click the “Attach Policy” button.
  3. The form Attach Policy is displayed. Use the filter to find the policy in the list.
  4. Check the box next to the policy name and click the button “Attach Policy” to confirm.

Establish Trust

To complete the task, we want to “Establish Trust”. Basically, what that means is that we will allow other roles to assume this role when trying to get permissions to access AWS resources. This is only required for the Integrated Security Mode, but it is better to set it up here even if you will not be using that security mode.

Follow these steps to establish trust:

  1. From the Roles screen, click on the role just created (in this guide, it is named yarkons3-console-role).
  2. Go to the second tab, named Trust Relationships, and click the “Edit Trust Relationship” button.
  3. The form Edit Trust Relationship is displayed. Use the template below to modify the policy document. Make sure to place your account number in the designated location.
  4. When done, click the “Update Trust Policy” button. This will take you back to the Role Summary form.
  5. Verify that the new Trusted Entity you added is listed as shown in the image below.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-number>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The Role is now complete and ready to be used by a Yarkon Admin Console instance. To see how to launch an instance using it, see Setting Up Yarkon Using an AMI.