https://pulumi.com logo
Powered by
#aws
  • f

    flat-insurance-25294

    01/03/2020, 10:47 AM
    Can you later add new policies to said group without rewriting the old ones?
  • o

    orange-australia-91292

    01/03/2020, 11:26 AM
    without answering any of your questions, if you’re going to deal with a lot of policies be mindful of IAM limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html). Some of them are very low. Like, “Managed policies attached to an IAM group: 10”.
  • f

    flat-insurance-25294

    01/03/2020, 11:30 AM
    Managed policies are the policies that AWS creates right? What about custom policies?
    w
    • 2
    • 5
  • f

    flat-insurance-25294

    01/03/2020, 11:33 AM
    Are managed policies different than non-managed? I can’t find any info of non-managed policies
  • f

    flat-insurance-25294

    01/03/2020, 11:40 AM
    Would have been nice to be able to export entire AWS resources in export to use StackReference and get an entire object in a different stack. Like ACM or ECR.
  • o

    orange-australia-91292

    01/03/2020, 11:49 AM
    there are two types of policies, managed and inline
  • o

    orange-australia-91292

    01/03/2020, 11:50 AM
    managed are the ones you find in the AWS console under “Policies”. it doesn’t matter who manages the policy, you or AWS. that’s managed
  • o

    orange-australia-91292

    01/03/2020, 11:50 AM
    inline are policies that you attach directly to the user
  • o

    orange-australia-91292

    01/03/2020, 11:52 AM
    inline policies are the “old” type of policy and kind of hidden. there’s a button that you need to click in the UI to get to them. but they can be quite useful due to those limits.
  • o

    orange-australia-91292

    01/03/2020, 11:53 AM
    if you check the limits, it says 10 managed per wtv, but inline is limited to the total number of characters instead of number of policies
  • o

    orange-australia-91292

    01/03/2020, 11:54 AM
    also, managed policies per role/user can be increased if you ask. per group can’t
  • f

    flat-insurance-25294

    01/03/2020, 11:54 AM
    So I supposed inlined policies on groups are basically unlimited ( well limited by characters)
  • o

    orange-australia-91292

    01/03/2020, 11:54 AM
    check the last two entries on that page
  • o

    orange-australia-91292

    01/03/2020, 11:55 AM
    I’m not sure if it counts spaces or not
  • f

    flat-insurance-25294

    01/03/2020, 11:55 AM
    Will have to figure this out later. At this stage, it essentially means max 10 clusters. That’s alright for now.
  • f

    flat-insurance-25294

    01/03/2020, 11:55 AM
    Because a Policy can contain multiple statements right? 1 policy doesn’t mean 1 aws resource. 1 policy could mean a collection of ACL on a collection of resources?
  • f

    flat-insurance-25294

    01/03/2020, 11:55 AM
    1 policy could be Read S3 Write EKS Read RDS etc
  • o

    orange-australia-91292

    01/03/2020, 11:56 AM
    yeap
  • f

    flat-insurance-25294

    01/03/2020, 11:56 AM
    Fair enough that should be sufficient for now.
  • f

    flat-insurance-25294

    01/03/2020, 11:56 AM
    Thanks a bunch for clearing that up
  • o

    orange-australia-91292

    01/03/2020, 11:56 AM
    for managed, you get a limit of 10, but each one can have > 6k characters. that’s a lot. but you have to be mindful of how you combine these things
  • o

    orange-australia-91292

    01/03/2020, 11:57 AM
    if you hit these limits at a later stage in development, it can be annoying. speaking from experience
  • o

    orange-australia-91292

    01/03/2020, 11:57 AM
    glad to help
  • f

    flat-insurance-25294

    01/03/2020, 11:58 AM
    We want to spin up resources per branch. So a new pull request would spin up RDS, VPC, EKS, S3, Cloudfront. Create a policy and add them to a group. A developer in said group could then use their rights to check the RDS or create a kubeonfig for the EKS cluster, etc. Will also be creating “users” which are basically our Applications. For creating signed cookies on Cloudfront or upload files to S3.
  • f

    flat-insurance-25294

    01/03/2020, 11:58 AM
    I don’t want to use InstanceRoles or Roles for those things, rather work with acccess_keys and etc.
  • f

    flat-insurance-25294

    01/03/2020, 11:59 AM
    Want to make it as easy as possible for developer to spin up a dev environment. Using a few shared resources (like Route53 and ACM) but mostly isolated.
  • w

    white-translator-96007

    01/03/2020, 11:59 AM
    it is not recommended to use access keys that kind of purposes
  • w

    white-translator-96007

    01/03/2020, 12:00 PM
    if you are accessing inside AWS
  • f

    flat-insurance-25294

    01/03/2020, 12:01 PM
    What is recommended then?
  • o

    orange-australia-91292

    01/03/2020, 12:01 PM
    roles are preferred. also, a user can be part of max. 10 groups
12345...94Latest