Alex
Reputation: 1081
Confused about IAM Roles, Policies, Statements and Actions
The Cloudformation documentation describes the following relationships between the parts of an IAM Role specification:
Service (Lambda in my case)
has one or more
Role/s
which contain one or more
Policy/ies
which contain a
Policy Document
which contains one or more
Statement/s
which contains one or more
{Effect,[Action],Resource} objects
which specify one or more
Action/s
Suppose I want to give a [Role] permission to do an [Action]. How do I determine where in the above hierarchy the permission should be specified?
In my specific case, I want to add s3:GetObject to a role for a Lambda.
Should I
- create a new Role?
- create a new Policy in an existing Role?
- add a new statement to an existing Policy?
- add a new Action to an existing Statement (using
Resource:'*') ?
Looking for guidance as to when each of the above would apply...
Upvotes: 0
Views: 83
Answers (1)
Mitesh Pant
Reputation: 542
I guess you can do any of the following, the only requirement being your policy document for that role must contain the statement
s3:GetObject
Upvotes: 1
Related Questions
- IAM Roles and instance profile
- Understanding aws policy
- Clouformation assumable role
- Understanding IAM Roles
- IAM: How to structure Policies and Groups
- Defining two statements for the action on an IAM role
- Understanding IAM policies
- What are roles in IAM?
- Understanding on concept of IAM role on EC2
- IAM role vs User - Best practices