DEV Community

Nurul Ramadhona for AWS Community Builders

Posted on • Edited on

Create and Manage AWS IAM User Group Using Ansible

In the previous part, we have IAM User. Now let's move to the IAM User Group! An IAM User Group consists of two or more two IAM users as members, not a group (because a group can't consist other groups). It will help us to manage the same permissions for multiple users at a group level. This is the best practice to manage authorization such as policies for IAM Users.

For IAM User Group, we use community.aws.iam_group module.

1. Create group along with existing users as members.

Task:

    - name: create group and add existing users as members
      community.aws.iam_group:
        name: "{{ item.name }}"
        state: present
        users: "{{ item.members }}"
      loop: 
        - { name: "{{ group1 }}", members: ["{{ user1 }}","{{ user2 }}"] }
      tags:
        - iam_group_new_members
Enter fullscreen mode Exit fullscreen mode

Note*: You can remove users argument of the task below in case you wanna create a group only without adding users as members.

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_group_new_members

PLAY [iam] *************************************************************************

TASK [create group and add existing users as members] ******************************
changed: [localhost] => (item={'name': 'developer', 'members': ['name1', 'name2']})
Enter fullscreen mode Exit fullscreen mode

Let's check if the group was created with the users in!

$ aws iam get-group --group-name developer | grep UserName
            "UserName": "name1",
            "UserName": "name2",
Enter fullscreen mode Exit fullscreen mode

2. Create group and attach managed policy.

As I mentioned before, group level is one of the best practices to manage permissions or policies for IAM Users. With Ansible, we can do that for sure.

Task:

    - name: create group + attach managed policy
      community.aws.iam_group:
        name: "{{ item.name }}"
        managed_policies: "{{ item.policy }}"
        state: present
      loop: 
        - { name: "{{ group2 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess }
      tags:
        - iam_group_new_policy
Enter fullscreen mode Exit fullscreen mode

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_group_new_policy

PLAY [iam] *************************************************************************

TASK [create group + attach managed policy] ****************************************
changed: [localhost] => (item={'name': 'programmer', 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'})
Enter fullscreen mode Exit fullscreen mode

3. Create group along with existing users as members and attach managed policy.

The first task lets us create a group and add users, the second task does differently by replacing add users with attach managed policy. All the tasks have run separately, but what if we need both? We can do that.

Task:

    - name: create group with users as members + attach managed policy
      community.aws.iam_group:
        name: "{{ item.name }}"
        managed_policies: "{{ item.policy }}"
        users: "{{ item.members }}"
        state: present
      loop: 
        - { name: "{{ group3 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess, members: ["{{ user1 }}","{{ user2 }}"] }
      tags:
        - iam_group_new_policy_members
Enter fullscreen mode Exit fullscreen mode

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_group_new_policy_members

PLAY [iam] *************************************************************************

TASK [create group with users as members + attach managed policy] ******************
changed: [localhost] => (item={'name': 'engineer', 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess', 'members': ['name1', 'name2']})
Enter fullscreen mode Exit fullscreen mode
$ aws iam get-group --group-name engineer | grep UserName
            "UserName": "name1",
            "UserName": "name2",
Enter fullscreen mode Exit fullscreen mode

Please note that all tasks above are not just about create, create, and create. You can use it to manage groups as well. For example, you want to add existing users as members of the existing group. Then you can use the first task above to do that and you just need to change the value.

That's it for Part 3. We will continue with the IAM Role for Part 4.

Reference:

https://docs.ansible.com/ansible/latest/collections/community/aws/iam_group_module.html

Top comments (0)