Create and Manage AWS IAM Role Using Ansible

As I mentioned before, attaching the policy directly to the IAM user is not the best practice. As an option, we can use the IAM User Group to manage policies at the group level. Now, how if we need unusual and temporary access with specific permissions to any resources, either as an identity such as IAM User or as another resource like from EC2 for example? Then, the IAM Role is the answer.

Just like IAM User, IAM Role can delegate permissions or access to other identities or other resources as well. IAM Role decides who can do what in AWS but it's a little bit different with IAM User cause we don't need any credentials to get access, or in the IAM role it's mentioned as to assume the role. We don't need a password or access key.

For the IAM Role, we use community.aws.iam_role module.

Create Role

In this section, we will only set who can assume the role.

Create a file named role_policy.json as the trust document (please replace 0123456789 with your own account ID).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": { "AWS": "arn:aws:iam::0123456789:user/name5" },
        }
    ]
}

Task:

    - name: create new role
      community.aws.iam_role:
        name: "{{ item.name }}"
        assume_role_policy_document: "{{ item.file }}"
      loop: 
        - { name: IAM, file: "{{ lookup('file','role_policy.json') }}" }
      tags:
        - iam_role_new

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_role_new

PLAY [iam] *********************************************************************

TASK [create new role] *********************************************************
changed: [localhost] => (item={'name': 'IAM', 'file': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Principal': {'AWS': 'arn:aws:iam::0123456789:user/name5'}}]}})

The task will allow only user name5 can assume the role. Let's check!

Get role's ARN:

$ aws iam list-roles --query "Roles[?RoleName == 'IAM'].[RoleName, Arn]"
[
    [
        "IAM",
        "arn:aws:iam::0123456789:role/IAM"
    ]
]

Assume role:

$ aws sts assume-role --role-arn "arn:aws:iam::0123456789:role/IAM" --role-session-name IAM-Session --profile name5
{
    "Credentials": {
        "AccessKeyId": "ASIAZ44MXOFLODACDGT6",
        "SecretAccessKey": "9Mo0mlic0SFT+iXfjJLZVF2KcOs5AnkOSRTafkhE",
        "SessionToken": "FwoGZXIvYXdzEFUaDFsU3R/5e1qeVRy4gyKvARr+4uMtDxXGZgyuqld3I32GuaEz+8v8UL94h/cQh3sDEzSu+5p5GPkxwR8oCriLeG8UAzJL3fcbA81408bH/qLj352c64Bdi+OBsDV5kuios/fUHVmWwkq8yHRBomGb1kKPky7pJi+e7ornjMdYxveiYnE0oUacEj5LIbg3gWYr67e+4/+5yz0ClkynDVDycO6V0el+AVSCf9xstiQOZQHYiIf+fdUka5PVBAlXkB0op/SJkgYyLdUBukFyHuM4Hqd3et/N6HCLuOs7v63qINUooo/CwJIq35Kx3z/E7mi3BJn7mw==",
        "Expiration": "2022-03-29T04:16:55Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROAZ44MXOFLNNFVT2XDZ:IAM-Session",
        "Arn": "arn:aws:sts::0123456789:assumed-role/IAM/IAM-Session"
    }
}

From the command above, we need some information to be configured. Those are Access Key ID, Secret Access Key, and Session Token. Since we use a secondary IAM user on the local device, we need to set the Profile as well.

$ export AWS_PROFILE=name5
$ export AWS_ACCESS_KEY_ID=ASIAZ44MXOFLODACDGT6
$ export AWS_SECRET_ACCESS_KEY=9Mo0mlic0SFT+iXfjJLZVF2KcOs5AnkOSRTafkhE
$ export AWS_SESSION_TOKEN=FwoGZXIvYXdzEFUaDFsU3R/5e1qeVRy4gyKvARr+4uMtDxXGZgyuqld3I32GuaEz+8v8UL94h/cQh3sDEzSu+5p5GPkxwR8oCriLeG8UAzJL3fcbA81408bH/qLj352c64Bdi+OBsDV5kuios/fUHVmWwkq8yHRBomGb1kKPky7pJi+e7ornjMdYxveiYnE0oUacEj5LIbg3gWYr67e+4/+5yz0ClkynDVDycO6V0el+AVSCf9xstiQOZQHYiIf+fdUka5PVBAlXkB0op/SJkgYyLdUBukFyHuM4Hqd3et/N6HCLuOs7v63qINUooo/CwJIq35Kx3z/E7mi3BJn7mw==

Then, check the identity! It will change to the role session.

$ aws sts get-caller-identity

{
    "UserId": "AROAZ44MXOFLNNFVT2XDZ:IAM-Session",
    "Account": "0123456789",
    "Arn": "arn:aws:sts::0123456789:assumed-role/IAM/IAM-Session"
}

Let's see what we can do with this role!

$ aws iam list-users

An error occurred (AccessDenied) when calling the ListUsers operation: User: arn:aws:sts::0123456789:assumed-role/IAM/IAM-Session is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::0123456789:user/

As we can see, we can't do anything because the role doesn't have policy attached. To remove the role session, we need to do unset:

$ unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_PROFILE

Create Role with Policy Attached

Since we can't do anything with the first role. Now, I'll create a second role and attach a policy to it.

Task:

    - name: create new role and attach managed policy
      community.aws.iam_role:
        name: "{{ item.name }}"
        assume_role_policy_document: "{{ item.file }}"
        managed_policies: "{{ item.policy }}"
      loop: 
        - { name: IAM_Policy, file: "{{ lookup('file','role_policy.json') }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess }
      tags:
        - iam_role_new_policy

Run the playbook:

$ ansible-playbook -i host.yml iam.yml -t iam_role_new_policy

PLAY [iam] *********************************************************************

TASK [create new role and attach managed policy] *******************************
changed: [localhost] => (item={'name': 'IAM_Policy', 'file': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Principal': {'AWS': 'arn:aws:iam::0123456789:user/name5'}}]}, 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'})

The task will allow only user name5 can assume the role and get permission to IAMReadOnlyAccess policy. Let's check!

Get role's ARN:

$ aws iam list-roles --query "Roles[?RoleName == 'IAM_Policy'].[RoleName, Arn]"
[
    [
        "IAM_Policy",
        "arn:aws:iam::0123456789:role/IAM_Policy"
    ]
]

Assume the role:

$ aws sts assume-role --role-arn "arn:aws:iam::0123456789:role/IAM_Policy" --role-session-name IAM_Policy-Session --profile name5
{
    "Credentials": {
        "AccessKeyId": "ASIAZ44MXOFLDW7ZQUNF",
        "SecretAccessKey": "4NVB0QMGN7HctKAr4HAE2WTPm1NBimC7NT84nsoh",
        "SessionToken": "FwoGZXIvYXdzEFUaDN/9s00S+FEqW1CkTyK2ATx97BWnjATT3/b74RcWwWIJW4BeIM6hUPn5J5R0N1bzDtkV4d50wXA2M1Vd0v6Ao2U5UX2ntJreYjhcKg/TvuIPmQKJ+0plbLt38Sp0mmj6HJbnK46h0+Zt9sJgLVVwmBf0y55dAoHe8xtlT3n3du5ll2nUFFQl9sO0TtVn3PbKYdyEoqzbTs/HBtIpef52b4XTyAhe6u7CPMP5nQwwdDAJdiLD3W64sqqwO/AgkMI6RWQXbm3uKN78iZIGMi21vsUxiS7K9B9CuZW/ZIFoOIkFDyEQxMx9MtEwTVFm1JFJ+KkIx1gPZEFhalY=",
        "Expiration": "2022-03-29T04:34:54Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROAZ44MXOFLGEBMCVQLQ:IAM_Policy-Session",
        "Arn": "arn:aws:sts::0123456789:assumed-role/IAM_Policy/IAM_Policy-Session"
    }
}

$ export AWS_PROFILE=name5
$ export AWS_ACCESS_KEY_ID=ASIAZ44MXOFLDW7ZQUNF
$ export AWS_SECRET_ACCESS_KEY=4NVB0QMGN7HctKAr4HAE2WTPm1NBimC7NT84nsoh
$ export AWS_SESSION_TOKEN=FwoGZXIvYXdzEFUaDN/9s00S+FEqW1CkTyK2ATx97BWnjATT3/b74RcWwWIJW4BeIM6hUPn5J5R0N1bzDtkV4d50wXA2M1Vd0v6Ao2U5UX2ntJreYjhcKg/TvuIPmQKJ+0plbLt38Sp0mmj6HJbnK46h0+Zt9sJgLVVwmBf0y55dAoHe8xtlT3n3du5ll2nUFFQl9sO0TtVn3PbKYdyEoqzbTs/HBtIpef52b4XTyAhe6u7CPMP5nQwwdDAJdiLD3W64sqqwO/AgkMI6RWQXbm3uKN78iZIGMi21vsUxiS7K9B9CuZW/ZIFoOIkFDyEQxMx9MtEwTVFm1JFJ+KkIx1gPZEFhalY=

$ aws sts get-caller-identity
{
    "UserId": "AROAZ44MXOFLGEBMCVQLQ:IAM_Policy-Session",
    "Account": "0123456789",
    "Arn": "arn:aws:sts::0123456789:assumed-role/IAM_Policy/IAM_Policy-Session"
}

Now, let's do something with that policy given to the role:

$ aws iam get-user --user-name name1 | grep UserName
        "UserName": "name1",

$ aws iam create-user --user-name test

An error occurred (AccessDenied) when calling the CreateUser operation: User: arn:aws:sts::0123456789:assumed-role/IAM_Policy/IAM_Policy-Session is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::0123456789:user/test

As we can see, we can do get-user but not for create-user. So, the role's policy works.

Let's back to normal IAM User by doing unset!

$ unset AWS_PROFILE AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN

That's it for the IAM Role. Let's continue to Part 5!

Reference:

https://docs.ansible.com/ansible/latest/collections/community/aws/iam_role_module.html