Reputation: 8354
IAM role vs User - Best practices
I give support for a 10 developers. These developers are separate in what call squads and tribes (like Spotify). So each tribe (is like a group of users sharing common tasks) need a set of permissions on AWS Resources. When a developer deploy an application, e.g. in a Ec2 instance, it assume a role of the ec2 instance. When this developer is testing and developing the application using his dev machine he needs access to aws resources, like the ec2 instance. So what is the correct approach: give permission to this developer like a user or a group or let him assume a role like the ec2 instance?
Upvotes: 1
Views: 1412
Answers (1)
Reputation: 13632
If the developers are developing locally, they can only use IAM user/group permissions. They cannot assume a role, as they are not on an EC2 instance. So lets say they all belong to a IAM group called Developer.
For the Developer group, you grant them the set of managed or custom policies that they need for development. Lets say they have IAM Policies p1, p2, p3, and that gives them access to the test resources they need.
For deployment to a test or development environment on AWS, you provide each instance a role, say AppServer. The AppServer role/profile can also have the same IAM policies p1, p2, p3 associated with it.
In this way your local developer have the same policies as your instances have when deployed.
Upvotes: 1
Related Questions
- What is exactly "Assume" a role in AWS?
- Add/attach AWS IAM Role to EC2 instance via terraform
- How to restrict SSH user to not assume the IAM role attached to EC2 instance?
- AWS IAM Role permission issue
- AWS Security Group and IAM Role
- AWS EC2: Do I need to run "aws configure" to assign access keys to if my instance already has an IAM role?
- IAM CloudFormation Templates AWS Roles
- AWS Assume role with EC2 instance IAM role not working
- AWS eb create - unable to find role