Managed IAM Policies
Jets also supports Managed IAM Policies. Managed IAM policies are managed by AWS. This is nice because when AWS releases new features with new API methods, AWS will update the IAM policy accordingly and we don’t have to update the policy ourselves. Managed polices are simple to use with Jets. Here are the ways you can set managed policies and their precedence:
- Function specific Managed IAM policy: highest precedence
- Class-wide Managed IAM policy
- Application-wide Managed IAM policy: lowest precedence
Function specific Managed IAM policy
class PostsController < ApplicationController
# ...
managed_iam_policy "AmazonEC2ReadOnlyAccess"
def show
render json: {action: "show", id: params[:id]}
end
end
Class-wide Managed IAM policy
class PostsController < ApplicationController
class_managed_iam_policy(
"IAMReadOnlyAccess",
"service-role/AWSConfigRulesExecutionRole"
)
# ...
end
Application-wide Managed IAM policy
Jets.application.configure do |config|
config.managed_iam_policy = %w[
AWSCloudTrailReadOnlyAccess
IAMReadOnlyAccess
]
end
Managed IAM Policies Inheritance
Managed IAM policies defined at lower levels of precedence inherit and include the policies from the higher levels of precedence. This is done so you do not have to duplicate your IAM policies when you only need to add a simple additional permission. For example, if you’ve configured the application-wide Managed IAM policy to look something like this:
Jets.application.configure do |config|
config.managed_iam_policy = %w[IAMReadOnlyAccess]
end
When you add a function specific IAM policy to a method:
class PostsController < ApplicationController
# ...
managed_iam_policy "AmazonEC2ReadOnlyAccess"
def show
render json: {action: "show", id: params[:id]}
end
end
The resulting policy for the method will look something like this:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
So the Managed IAM policies are additive.
Managed IAM Policies Expansion
The Managed IAM Policies shorthand above ultimately get expanded and included into the CloudFormation templates and get associated with the appropriate Lambda functions. It ulimately, looks something like this:
IamRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/AWSCloudTrailReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess
More details on what a raw IAM Policies can be found at:
- AWS Managed Policies for Job Functions
- AWS IAM Policies and Permissions docs
- CloudFormation IAM Policy reference docs
Pro tip: Use the <- and -> arrow keys to move back and forward.
Edit this page
See a typo or an error? You can improve this page. This website is available on GitHub, and contributions are encouraged and welcomed. We love pull requests from you!
- Suggest an edit to this page (here's the contributing guide).
- Open an issue about this page to report a problem.