Managed IAM Policies
Jets also supports Managed IAM Policies. Managed IAM policies are managed by AWS. This is nice because when AWS releases new features with new API methods, AWS will update the IAM policy accordingly and we don’t have to update the policy ourselves. Managed polices are simple to use with Jets. Here are the ways you can set managed policies and their precedence:
- Function-specific IAM policy: highest precedence. Applies for the distinct Lambda function.
- Class-wide IAM policy: Applies for all Lambda functions for the class.
- Application-wide IAM policy: lowest precedence. Applies for all Lambda functions of the Jets application.
CloudFormation Controllers Build Setting
Important: In Jets v5, a single Lambda function handles all controller requests. You can only define IAM policies for all controllers in ApplicationController or in config/application.rb.
For jobs, you have the ability to control IAM Policies at the individual Lambda function level because Jets always deploys an distinct Lambda functions for each job method.
Function specific Managed IAM policy
class PostsController < ApplicationController
# ...
managed_iam_policy "AmazonEC2ReadOnlyAccess"
def show
render json: {action: "show", id: params[:id]}
end
end
Class-wide Managed IAM policy
class PostsController < ApplicationController
class_managed_iam_policy(
"IAMReadOnlyAccess",
"service-role/AWSConfigRulesExecutionRole"
)
# ...
end
Application-wide Managed IAM policy
Jets.application.configure do |config|
config.managed_iam_policy = %w[
AWSCloudTrailReadOnlyAccess
IAMReadOnlyAccess
]
end
IAM DSL Multiple Calls
When you call class_iam_policy multiple times, it appends permissions for that specific function. Example:
class_iam_policy("AmazonS3ReadOnlyAccesss3")
class_iam_policy("CloudFrontReadOnlyAccess")
The same as:
class_iam_policy("AmazonS3ReadOnlyAccess", "CloudFrontReadOnlyAccess")
Managed IAM Policies Inheritance
Managed IAM policies defined at lower levels of precedence inherit and include the policies from the higher levels of precedence. This is done so you do not have to duplicate your IAM policies when you only need to add a simple additional permission. For example, if you’ve configured the application-wide Managed IAM policy to look something like this:
Jets.application.configure do |config|
config.managed_iam_policy = %w[IAMReadOnlyAccess]
end
When you add a function specific IAM policy to a method:
class PostsController < ApplicationController
# ...
managed_iam_policy "AmazonEC2ReadOnlyAccess"
def show
render json: {action: "show", id: params[:id]}
end
end
The resulting policy for the method will look something like this:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
So the Managed IAM policies are additive.
Managed IAM Policies Expansion
The Managed IAM Policies shorthand above ultimately get expanded and included into the CloudFormation templates and get associated with the appropriate Lambda functions. It ulimately, looks something like this:
IamRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
More details on what a raw IAM Policies can be found at: