IAM roles - policies

Created: 2018-11-12 11:46:38 -0800 Modified: 2018-11-12 12:05:11 -0800

Basics

A role is a combination of trust relationships (i.e. who can actually perform some action) and policies (i.e. what actions can they perform).
To make a policy, their visual editor is incredibly helpful: AWS Console → IAM → Policies → Create policy. Note that you can get to this UI through “Roles”, but it’s exactly the same as getting there through Policies (i.e. it won’t automatically attach the policy to the role if you accessed it through “Roles”).
- For example, suppose you want a policy that allows a Docker container to use the change-resource-record-sets API; you can use their visual editor
When making a policy, it may ask you to choose ARNs. This scopes the policy only to those particular resources. For example, you may have 10 hosted zones and you only want a policy that allows listing the record sets of 3 of them.
You typically shouldn’t have to create policies if they’re just going to be very general, e.g. “full access to Route53”. Those all exist already. You probably only need to make policies when you’re getting granular with either the resources that you’re targeting or the specific permissions needed.

I believe you have to hit the 🔃 button for it show.