-
Notifications
You must be signed in to change notification settings - Fork 24
iam 3.3 roles design
This design covers our implementation of AWS IAM roles and instance profiles.
Status | Draft | |
---|---|---|
Created | 2013/04/09 | Initial document, content for post sprint 5 |
Implementation of the following items is beyond the scope of this design:
- STS AssumeRoles Policy parameter (for supplemental policies)
This feature relates to the following features in this release:
- ElasticLoadBalancing - Uses IAM roles for service access from ELB instances
- How should credentials be cached in the instance metadata?
This section provides design details relevant to developers.
Item | Value | Notes |
---|---|---|
DB | eucalyptus_auth | Existing IAM/STS database |
IAM service class | EuareService | Existing service class updated |
STS service class | TokensService | Existing service class updated |
The following entities will be added:
- Role
- Instance profile
Ern is updated to allow ARNs for the following resource types:
- role
- instance-profile
The security token format is updated to allow reference to the IAM role for the credential.
RoleUser is added to expose a Role as a User for compatibility with existing permission enforcement.
Previously we only supported identity attached policices. For roles it is necessary to support resource attached policies (for assume role policies).
PolicyParser is updated to support the attachment type of the policy. The attachement type determines the required parts of the policy, for example a resource attached policy must specify the identities to which it applies.
Cross account deny policy statements are now supported (See Modifying Group Permissions in the Enabling Cross-Account API Access Walkthrough)
This section provides implementation details and descriptions of any functionality beyond the core AWS features.
Item | Value | Notes |
---|---|---|
IAM Version | 2010-05-08 | Version of IAM API supported |
STS Version | 2011-06-15 | Version of STS API supported |
This sections describes implemented service actions.
For more information on administrative support by action, see Administrative Functionality below.
Action | Admin Enabled | Notes |
---|---|---|
AddRoleToInstanceProfile | Y | |
CreateInstanceProfile | Y | |
CreateRole | Y | |
DeleteInstanceProfile | Y | |
DeleteRole | Y | |
DeleteRolePolicy | Y | |
GetInstanceProfile | Y | |
GetRole | Y | |
GetRolePolicy | Y | |
ListInstanceProfiles | Y | |
ListInstanceProfilesForRole | Y | |
ListRolePolicies | Y | |
ListRoles | Y | |
PutRolePolicy | Y | |
RemoveRoleFromInstanceProfile | Y | |
UpdateAssumeRolePolicy | Y |
Action | Admin Enabled | Notes |
---|---|---|
AssumeRole | Supplemental policy not supported. |
We will extend the standard functionality for administrative purposes.
Support for quotas:
Item | Value | Notes |
---|---|---|
Quotas | iam:quota-instanceprofilenumber | |
iam:quota-rolenumber |
System administrators can perform actions on behalf of other accounts using a special delegation parameter, this applies to all actions noted as Admin Enabled above.
No configuration changes noted.
No upgrade impact noted.
No specific packaging requirements.
Administrative functionality should be documented.
This feature has significant security risks. Some specific risks are:
- Assuming a role from an instance providing access to another accounts resources
- Token service errors allowing access to another accounts resources
- An assumed role not limiting access to the (policy) defined permissions
No specific test cases noted.
tag:rls-3.3- Contact Info
- email: architecture@eucalyptus.com
- IRC: #eucalyptus-devel (freenode)
- Eucalyptus Links