Recommended IAM structure to link a machine user to a policy? Running on-prem.
0
I would like to run a batch job on-prem and access AWS resources in our account.
I think the recommendation is to create an IAM user, which will be a machine user. Since I don't have a way to assign a role to the on-prem machine, or federate with AWS identity, I'll create an access key and install it on the on-prem machine. What's the best way to link my machine user to a policy?
I can create an IAM policy which allows the required actions (reading AWS SSM Parameters).
But, how should I link the machine user to the policy? Some options I'm aware of:
- I can create a role, but then I think the machine user would have to assume the role. (My understanding is that roles do not have immediate "membership", it's just that users have the ability to assume roles. Or, AWS infrastructure can be set up with a role, like an EC2 or an EKS cluster can act as a role. In the future I do plan to move this job's execution to AWS infrastructure, but for now that's not an option.) Is assuming a role easy, for example a
aws sts
CLI call that I could put in my batch job's startup script before calling the main binary? - Or I could just attach the policy directly to the machine user. Generally that's not recommended from what I've read: you should have a layer between users and policies so when users change what they're doing you have indirection. But in this case maybe that's fine.
- Or finally I could create a user group, attach the policy to the group, and add the machine user as a member of the group. Is that layer of indirection useful / an appropriate use of groups? Most documentation recommends roles for the user-to-policy indirection, so I'm hesitant to use groups that way. However, that seems to be the expected approach for human users (glad for feedback on that too).
asked 25 days ago9 views
1 Answers
0
Best practice is to:
- Create a very limited, least privilege IAM Policy with conditions to limit from certain CIDR address(es)
- Create an IAM Group and assign the policy to the group
- Create an IAM User, with access keys, and assign the user to the group
- Rotate the user's access keys on a regular basis
Relevant questions
Recommended IAM structure to link a machine user to a policy? Running on-prem.
asked 25 days agoIAM Policy that allows only access to "Switch Role"
asked 2 months agoCan I force each job to run on a dedicated instance?
Accepted Answerasked 3 years agohow can i quickly troubleshoot IAM permission for a service
asked 6 months agoHow do i stop a restore job that's running for a week.
asked 4 months agoWhich role do I have to use for the Fargate tasks on AWS Batch?
Accepted Answerasked 6 months agoAccess existing AWS resources in new application
asked 5 months agoWhat IAM Permissions are needed to do a CreateJob for S3 Batch?
asked 3 years agoScheduled AWS Batch Job with EventBridge Not Working
asked 2 months agoWhat is a complete JOB scheduler in AWS
asked 5 months ago