Managed IAM Policies
Jets also supports Managed IAM Policies. Managed IAM policies are managed by AWS. This is nice because when AWS releases new features with new API methods, AWS will update the IAM policy accordingly and we don’t have to update the policy ourselves. Managed polices are simple to use with Jets. Here are the ways you can set managed policies and their precedence:
- Function specific Managed IAM policy: highest precedence
- Class-wide Managed IAM policy
- Application-wide Managed IAM policy: lowest precedence
Function specific Managed IAM policy
class PostsController < ApplicationController
# ...
managed_iam_policy "AmazonEC2ReadOnlyAccess"
def show
render json: {action: "show", id: params[:id]}
end
end
Class-wide Managed IAM policy
class PostsController < ApplicationController
class_managed_iam_policy(
"IAMReadOnlyAccess",
"service-role/AWSConfigRulesExecutionRole"
)
# ...
end
Application-wide Managed IAM policy
Jets.application.configure do |config|
config.managed_iam_policy = %w[
AWSCloudTrailReadOnlyAccess
IAMReadOnlyAccess
]
end
Managed IAM Policies Inheritance
Managed IAM policies defined at lower levels of precedence inherit and include the policies from the higher levels of precedence. This is done so you do not have to duplicate your IAM policies when you only need to add a simple additional permission. For example, if you’ve configured the application-wide Managed IAM policy to look something like this:
Jets.application.configure do |config|
config.managed_iam_policy = %w[IAMReadOnlyAccess]
end
When you add a function specific IAM policy to a method:
class PostsController < ApplicationController
# ...
managed_iam_policy "AmazonEC2ReadOnlyAccess"
def show
render json: {action: "show", id: params[:id]}
end
end
The resulting policy for the method will look something like this:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
So the Managed IAM policies are additive.
Managed IAM Policies Expansion
The Managed IAM Policies shorthand above ultimately get expanded and included into the CloudFormation templates and get associated with the appropriate Lambda functions. It ulimately, looks something like this:
IamRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
More details on what a raw IAM Policies can be found at: