By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Custom IAM policy with custom IAM Actions

0

I want to create a Custom I AM policy with custom IAM Actions.

something like below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "myCustomService:MyCustomAction", "myCustomService1:MyCustomAction1", ], "Resource": "*" } ] }

I need this to control clients/ users/ clientApplication access to my application running in EKS cluster.

thanks in advance.

  • Fauzi Muhammad
    8 months ago

    Before creating the policy, make sure that your EKS application support custom IAM action. IAM policy : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "myCustomService:MyCustomAction", "myCustomService1:MyCustomAction1" ], "Resource": "*" } ] } Example in Kubernetes Aplication import boto3 from botocore.exceptions import ClientError

    client = boto3.client('iam')

    def check_custom_permission(action_name): try: response = client.simulate_principal_policy( PolicySourceArn='arn:aws:iam::ACCOUNT_ID:role/YOUR_ROLE_NAME', ActionNames=[action_name] ) return response['EvaluationResults'][0]['EvalDecision'] == 'allowed' except ClientError as e: print(e) return False

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
shankar s
asked 2 years ago607 views
1 Answer
0

i have added the following example please modify accordingly

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeCluster",
                "eks:ListFargateProfiles",
                "eks:ListUpdates",
                "eks:UpdateClusterVersion"
            ],
            "Resource": "arn:aws:eks:us-west-2:123456789012:cluster/my-cluster",
            "Condition": {
                "StringEquals": {
                    "aws:userid": [
                        "user1",
                        "user2"
                    ],
                    "sourceArn": [
                        "arn:aws:execute-api:us-west-2:123456789012:abcdefghij/*/GET/resource1",
                        "arn:aws:execute-api:us-west-2:123456789012:abcdefghij/*/GET/resource2"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:ListTagsForResource",
                "ecr:PutImage"
            ],
            "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/my-repo",
            "Condition": {
                "StringEquals": {
                    "aws:userid": [
                        "user1",
                        "user2"
                    ],
                    "sourceArn": [
                        "arn:aws:execute-api:us-west-2:123456789012:abcdefghij/*/POST/resource3",
                        "arn:aws:execute-api:us-west-2:123456789012:abcdefghij/*/POST/resource4"
                    ]
                }
            }
        }
    ]
}
profile picture
EXPERT
Sedat Salman
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content