Recommended IAM structure to link a machine user to a policy? Running on-prem.


I would like to run a batch job on-prem and access AWS resources in our account.

I think the recommendation is to create an IAM user, which will be a machine user. Since I don't have a way to assign a role to the on-prem machine, or federate with AWS identity, I'll create an access key and install it on the on-prem machine. What's the best way to link my machine user to a policy?

I can create an IAM policy which allows the required actions (reading AWS SSM Parameters).

But, how should I link the machine user to the policy? Some options I'm aware of:

  • I can create a role, but then I think the machine user would have to assume the role. (My understanding is that roles do not have immediate "membership", it's just that users have the ability to assume roles. Or, AWS infrastructure can be set up with a role, like an EC2 or an EKS cluster can act as a role. In the future I do plan to move this job's execution to AWS infrastructure, but for now that's not an option.) Is assuming a role easy, for example a aws sts CLI call that I could put in my batch job's startup script before calling the main binary?
  • Or I could just attach the policy directly to the machine user. Generally that's not recommended from what I've read: you should have a layer between users and policies so when users change what they're doing you have indirection. But in this case maybe that's fine.
  • Or finally I could create a user group, attach the policy to the group, and add the machine user as a member of the group. Is that layer of indirection useful / an appropriate use of groups? Most documentation recommends roles for the user-to-policy indirection, so I'm hesitant to use groups that way. However, that seems to be the expected approach for human users (glad for feedback on that too).
asked 2 years ago180 views
1 Answer

Best practice is to:

  1. Create a very limited, least privilege IAM Policy with conditions to limit from certain CIDR address(es)
  2. Create an IAM Group and assign the policy to the group
  3. Create an IAM User, with access keys, and assign the user to the group
  4. Rotate the user's access keys on a regular basis
profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions