はじめに
思い出すのに時間がかかったりするので置いておく。
IAM
特定のユーザにだけAssumeRoleを許す
data "aws_iam_user" "username" {
user_name = "hoghog"
}
data "aws_iam_policy_document" "AssumeRole" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
data.aws_iam_user.username.arn
]
}
}
}
特定のIPアドレスにだけAssumeRoleを許す条件を追加
data "aws_iam_user" "username" {
user_name = "hoghog"
}
data "aws_iam_policy_document" "AssumeRole" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
data.aws_iam_user.username.arn
]
}
condition {
test = "IpAddress"
variable = "aws:SourceIp"
values = [
"127.0.0.1/32"
]
}
}
}
Config
data "aws_iam_policy_document" "assume_role_policy_config" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
}
}
EC2
data "aws_iam_policy_document" "assume_role_policy_ec2" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
Lambda
data "aws_iam_policy_document" "assume_role_policy_lambda" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
VPC Flow Logs
data "aws_iam_policy_document" "assume_role_policy_vpcflow" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["vpc-flow-logs.amazonaws.com"]
}
}
}