Recommended IAM structure to link a machine user to a policy? Running on-prem.
I would like to run a batch job on-prem and access AWS resources in our account.
I think the recommendation is to create an IAM user, which will be a machine user. Since I don't have a way to assign a role to the on-prem machine, or federate with AWS identity, I'll create an access key and install it on the on-prem machine. What's the best way to link my machine user to a policy?
I can create an IAM policy which allows the required actions (reading AWS SSM Parameters).
But, how should I link the machine user to the policy? Some options I'm aware of:
- I can create a role, but then I think the machine user would have to assume the role. (My understanding is that roles do not have immediate "membership", it's just that users have the ability to assume roles. Or, AWS infrastructure can be set up with a role, like an EC2 or an EKS cluster can act as a role. In the future I do plan to move this job's execution to AWS infrastructure, but for now that's not an option.) Is assuming a role easy, for example a
aws stsCLI call that I could put in my batch job's startup script before calling the main binary?
- Or I could just attach the policy directly to the machine user. Generally that's not recommended from what I've read: you should have a layer between users and policies so when users change what they're doing you have indirection. But in this case maybe that's fine.
- Or finally I could create a user group, attach the policy to the group, and add the machine user as a member of the group. Is that layer of indirection useful / an appropriate use of groups? Most documentation recommends roles for the user-to-policy indirection, so I'm hesitant to use groups that way. However, that seems to be the expected approach for human users (glad for feedback on that too).
Best practice is to:
- Create a very limited, least privilege IAM Policy with conditions to limit from certain CIDR address(es)
- Create an IAM Group and assign the policy to the group
- Create an IAM User, with access keys, and assign the user to the group
- Rotate the user's access keys on a regular basis
Recommended IAM structure to link a machine user to a policy? Running on-prem.asked 25 days ago
IAM Policy that allows only access to "Switch Role"asked 2 months ago
Can I force each job to run on a dedicated instance?Accepted Answerasked 3 years ago
how can i quickly troubleshoot IAM permission for a serviceasked 6 months ago
How do i stop a restore job that's running for a week.asked 4 months ago
Which role do I have to use for the Fargate tasks on AWS Batch?Accepted Answerasked 6 months ago
Access existing AWS resources in new applicationasked 5 months ago
What IAM Permissions are needed to do a CreateJob for S3 Batch?asked 3 years ago
Scheduled AWS Batch Job with EventBridge Not Workingasked 2 months ago
What is a complete JOB scheduler in AWSasked 5 months ago