IAM
Provides user management and policy control for AWS resources.
Example yaml file:
apiVersion: aws.boundless.software/v1alpha1
kind: Iam
metadata:
name: my-iam-config
spec:
provider:
region: us-west-2
instanceProfile:
name: my-instance-profile
role: my-instance-role
tags:
Name: my-instance-profile
Environment: Dev
oidcProvider:
clientIdList:
– “example-client-id”
thumbprintList:
– “example-thumbprint”
url: “https://example-oidc-provider.com”
policy:
name: my-policy
description: “This is my custom IAM policy.”
path: “/custom/”
statement:
– Effect: “Allow”
Action:
– “s3:GetObject”
Resource: “*”
tags:
Environment: Dev
role:
name: my-role
description: “This is my custom IAM role.”
path: “/custom/”
policy:
name: inline-policy-for-role
statement:
– Effect: “Allow”
Action:
– “s3:ListBucket”
Resource: “*”
policyArns:
– “arn:aws:iam::aws:policy/AdministratorAccess”
trustPolicy:
statement:
– Effect: “Allow”
Principal:
Service:
– “eks.amazonaws.com”
Action:
– “sts:AssumeRole”
tags:
Environment: Dev
user:
name: my-user
createAccessKey: true
path: “/custom/”
permissionsBoundary: “arn:aws:iam::aws:policy/ReadOnlyAccess”
policy:
name: inline-policy-for-user
statement:
– Effect: “Allow”
Action:
– “s3:PutObject”
Resource: “*”
tags:
Environment: Dev
userGroup:
name: my-user-group
path: “/custom/”
policy:
name: inline-policy-for-user-group
statement:
– Effect: “Allow”
Action:
– “ec2:DescribeInstances”
Resource: “*”
users:
– “my-user”
Inputs
| Name | Type | Description |
|---|---|---|
| provider* | AwsProviderSpec | Provider specifies the AWS provider settings for IAM. |
| instanceProfile | InstanceProfileSpec | InstanceProfile specifies the AWS instance profile. |
| oidcProvider | OidcProviderSpec | OidcProvider specifies the OpenID Connect provider settings. |
| policy | IamPolicySpec | Policy specifies the IAM policy settings. |
| role | RoleSpec | Role specifies the IAM role settings. |
| user | UserSpec | User specifies the IAM user settings. |
| userGroup | UserGroupSpec | UserGroup specifies the IAM user group settings. |
InstanceProfileSpec
| Name | Type | Description |
|---|---|---|
| name* | string | Name is the name of the instance profile. |
| role* | string | Role is the IAM role associated with this instance profile. |
| tags | map[string]string | Tags are metadata to assign to the Instance Profile. |
OidcProviderSpec
| Name | Type | Description |
|---|---|---|
| clientIdList* | []string | ClientIdList specifies the list of client IDs for the OIDC identity provider. |
| thumbprintList* | []string | ThumbprintList specifies the list of thumbprints of the OIDC identity provider's server certificate(s). |
| url* | string | Url is the URL of the OIDC identity provider. |
IamPolicySpec
| Name | Type | Description |
|---|---|---|
| name | string | Name is the name of the policy. |
| description | string | Description is the description of the policy. |
| path | string | Path is the optional path of the policy. |
| Statement* | []apiext.JSON | Statement is the list of policy statements. |
| tags | map[string]string | Tags are metadata to assign to the policy. |
RoleSpec
| Name | Type | Description |
|---|---|---|
| name* | string | Name is the name of the role. |
| description | string | Description is the description of the role. |
| path | string | Path is the optional path of the role. |
| policy | IamPolicySpec | Policy is the inline policy for the role. |
| policyArns | []string | PolicyArns is the list of policy ARNs attached to the role. |
| sessionDuration | int32 | SessionDuration is the maximum session duration for the role. |
| trustPolicy* | IamPolicySpec | TrustPolicy is the trust relationship policy for the role. |
| tags | map[string]string | Tags are metadata to assign to the role. |
UserSpec
| Name | Type | Description |
|---|---|---|
| name* | string | Name is the name of the user. |
| createAccessKey | bool | CreateAccessKey indicates whether to create an access key for the user. |
| path | string | Path is the optional path of the user. |
| permissionsBoundary | string | PermissionsBoundary is the permissions boundary for the user. |
| policy | IamPolicySpec | Policy is the inline policy for the user. |
| policyArns | []string | PolicyArns is the list of policy ARNs attached to the user. |
| tags | map[string]string | Tags are metadata to assign to the user. |
UserGroupSpec
| Name | Type | Description |
|---|---|---|
| name* | string | Name is the name of the user group. |
| path | string | Path is the optional path of the user group. |
| policy | IamPolicySpec | Policy is the inline policy for the user group. |
| policyArns | []string | PolicyArns is the list of policy ARNs attached to the user group. |
| users | []string | Users are the IAM users that are members of this user group. |
Outputs
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current status condition of the IAM resources. |
| instanceProfile | InstanceProfileStatus | InstanceProfile reports the status of the AWS instance profile. |
| oidcProvider | OidcProviderStatus | OidcProvider reports the status of the OpenID Connect provider. |
| policy | PolicyStatus | Policy reports the status of the IAM policy. |
| role | RoleStatus | Role reports the status of the IAM role. |
| user | UserStatus | User reports the status of the IAM user. |
| userGroup | UserGroupStatus | UserGroup reports the status of the IAM user group. |
InstanceProfileStatus
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current condition of this Instance Profile. |
| arn | string | Arn is the Amazon Resource Name (ARN) for this Instance Profile. |
| name | string | Name is the name of the Instance Profile. |
| role | string | Role is the IAM role associated with this Instance Profile. |
OidcProviderStatus
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current condition of this OIDC Provider. |
| arn | string | Arn is the Amazon Resource Name (ARN) for this OIDC Provider. |
| role | string | Url is the URL of the OIDC Provider. |
PolicyStatus
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current condition of this Policy. |
| arn | string | Arn is the Amazon Resource Name (ARN) for this Policy. |
| name | string | Name is the name of the Policy. |
| version | string | Version is the version of the Policy. |
RoleStatus
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current condition of this Role. |
| arn | string | Arn is the Amazon Resource Name (ARN) for this Role. |
| name | string | Name is the name of the Role. |
UserStatus
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current condition of this User. |
| arn | string | Arn is the Amazon Resource Name (ARN) for this User. |
| name | string | Name is the name of the User. |
| accessKey | string | AccessKey is the access key for this User. |
| secret | string | SecretKey is the secret key for this User. |
UserGroupStatus
| Name | Type | Description |
|---|---|---|
| condition | metav1.Condition | Condition provides the current condition of this User Group. |
| arn | string | Arn is the Amazon Resource Name (ARN) for this User Group. |
| name | string | Name is the name of the User Group. |
| users | []string | Users are the IAM users that are members of this User Group. |