On the previous part, we have IAM User. Now, let's move to the IAM User Group. An IAM User Group consists two or more than two IAM users as members, not group (because group can't consist other groups). It will help us easier to manage same permissions for multiple users in group level. This is the best practice to manage authorization such as policies for IAM Users.
For IAM User Group, we use community.aws.iam_group module.
1. Create group along with existing users as members.
Task:
- name: create group and add existing users as members
community.aws.iam_group:
name: "{{ item.name }}"
state: present
users: "{{ item.members }}"
loop:
- { name: "{{ group1 }}", members: ["{{ user1 }}","{{ user2 }}"] }
tags:
- iam_group_new_members
Note*: you can remove users argument of the task below in case you wanna create group only without adding users as members).
Run the playbook:
$ ansible-playbook -i host.yml iam.yml -t iam_group_new_members
PLAY [iam] *************************************************************************
TASK [create group and add existing users as members] ******************************
changed: [localhost] => (item={'name': 'developer', 'members': ['nurul', 'rama']})
Let's check if group created with the users in!
$ aws iam get-group --group-name developer | grep UserName
"UserName": "nurul",
"UserName": "rama",
2. Create group and attach managed policy.
As I mentioned before, group level is one of best practice to manage permissions or policies for IAM Users. With ansible, we can do that for sure.
Task:
- name: create group + attach managed policy
community.aws.iam_group:
name: "{{ item.name }}"
managed_policies: "{{ item.policy }}"
state: present
loop:
- { name: "{{ group2 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess }
tags:
- iam_group_new_policy
Run the playbook:
$ ansible-playbook -i host.yml iam.yml -t iam_group_new_policy
PLAY [iam] *************************************************************************
TASK [create group + attach managed policy] ****************************************
changed: [localhost] => (item={'name': 'programmer', 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess'})
3. Create group along with existing users as members and attach managed policy.
The first task let us to create group and add users, the second task does different by replacing add users with attach managed policy. All the tasks have ran separately, but how if we need both? We can do that.
Task:
- name: create group with users as members + attach managed policy
community.aws.iam_group:
name: "{{ item.name }}"
managed_policies: "{{ item.policy }}"
users: "{{ item.members }}"
state: present
loop:
- { name: "{{ group3 }}", policy: arn:aws:iam::aws:policy/IAMReadOnlyAccess, members: ["{{ user1 }}","{{ user2 }}"] }
tags:
- iam_group_new_policy_members
Run the playbook:
$ ansible-playbook -i host.yml iam.yml -t iam_group_new_policy_members
PLAY [iam] *************************************************************************
TASK [create group with users as members + attach managed policy] ******************
changed: [localhost] => (item={'name': 'engineer', 'policy': 'arn:aws:iam::aws:policy/IAMReadOnlyAccess', 'members': ['nurul', 'rama']})
$ aws iam get-group --group-name engineer | grep UserName
"UserName": "nurul",
"UserName": "rama",
Please note that all tasks above are not just about create, create, and create. You can use it to manage group as well. For example, you want to add existing users as members of existing group. Then you can use first task above to do that and you just need to change the value.
That's it for Part 3. We will continue with IAM Role for Part 4.
Reference:
https://docs.ansible.com/ansible/latest/collections/community/aws/iam_group_module.html
Top comments (0)