Terraform-provider-aws: Support IAM permission boundaries

Created on 12 Jul 2018  ·  9Comments  ·  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS just released IAM permission boundaries, a very cool new feature that allows us to let IAM principals do stuff with IAM without granting them effective admin powers.

Read more here.

New or Affected Resource(s)

  • aws_iam_user
  • aws_iam_role

Potential Terraform Configuration

It would likely just be another optional attribute on each of those resources to specify a managed policy ARN representing the permissions boundary.

References

enhancement serviciam
Source
picture copumpkin
👍39

Most helpful comment

Pull requests submitted:

  • aws_iam_role data source: #5186
  • aws_iam_role resource: #5184
  • aws_iam_user data source: #5187
  • aws_iam_user resource: #5183
picture bflad on 13 Jul 2018
👍6

All 9 comments

Pull requests submitted:

  • aws_iam_role data source: #5186
  • aws_iam_role resource: #5184
  • aws_iam_user data source: #5187
  • aws_iam_user resource: #5183
bflad picture bflad on 13 Jul 2018
👍6

Beautiful, thanks!

copumpkin picture copumpkin on 13 Jul 2018

Looks like all the PRs are merged, and I think will all be in by 1.30. Thanks again for all the work 😄

copumpkin picture copumpkin on 30 Jul 2018

Indeed! All support will be in version 1.30.0 of the AWS provider, releasing middle of this week. 👍

bflad picture bflad on 30 Jul 2018
🎉4

These have all been released in version 1.30.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad picture bflad on 2 Aug 2018

Doesn't seem to support multiple permission boundary policies, any plan to support it?

nusnewob picture nusnewob on 6 Sep 2018

@nusnewob Can you explain more what you mean? Looks to me like the AWS implementation supports a single policy as the permission boundary, and you can only attach one permission boundary on a role or user.

lorengordon picture lorengordon on 6 Sep 2018

@lorengordon I think he means writting stuff like this

resource "aws_iam_policy_attachment" "test" {
name = "test"
users = ["${var.profile_username}"]
policy_arn = "${aws_iam_policy.policy.arn}"
boundary_policy_arn = "${aws_iam_policy.policy_boundary.arn}"
}

But yet, we cannot add a boundary_policy_arn field

UPDATE

My bad, we can do this only on creation

resource "aws_iam_user" "lb" {
user = "${aws_iam_user.lb.name}"
permissions_boundary = "${aws_iam_policy.policy.arn}"
}

ramphort picture ramphort on 21 Nov 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 21 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gothrek22 picture gothrek22  ·  3Comments
hashibot picture hashibot  ·  3Comments
dvishniakov picture dvishniakov  ·  3Comments
modax picture modax  ·  3Comments
hashibot picture hashibot  ·  3Comments