AWS fundamentals: What is IAM?
In this blog post series we’ll take a closer look at Amazon web services (AWS) and all their Serverless related services in detail.
Today we look at IAM (Identity and Access Management). What is it? How does it work? And how does the Serverless framework use it?
This chapter is a free sample taken from our “Learn Serverless” book.
What is IAM?
The first thing we’ll look at is IAM. IAM stands for “Identitiy and Access Management” and makes it possible to control access to your AWS services and resources.
IAM has different methods to control the access to AWS services.
Users
Create users if you want to grant other users access to your AWS account without sharing your login credentials.
Groups
Groups make it easy to manage access for multiple users.You could e.g. create a “servers” group with permissions to spin up EC2 instances and add multiple users to this group. This way the users in this group can create EC2 instances. Changes to permissions in this group affects all users who belong to that group.
Policies
With policies you can define permissions for users, groups and roles. Policies are the building blocks to define what action can be performed for what resource.
Let’s take a look at a simple policy:
{<br />
"Version": "2012-10-17",<br />
"Statement": {<br />
"Effect": "Allow",<br />
"Action": "s3:ListBucket",<br />
"Resource": "arn:aws:s3:::example_bucket"<br />
}<br />
}<br />One can see that policies are defined with the help of the JSON syntax.
With Action you tell what kind of actions are allowed (in this case List S3 bucket). Resources defines what resource this action affects (Here it’s the S3 bucket with the name example_bucket) Effect can either be “Allow” or “Deny”.
You can read the policy above as follows: “Allow to list the stuff in the S3 bucket with the name example_bucket”. If you attach this policy to a user, this user will be allowed to perform this action. If you attach it to a group all users in that group can perform this action.
Roles
Roles are similar to users as they hold an AWS identity with permissions. Roles are often used if you e.g. want to grant access to AWS resources that the user normally doesn’t have.
Another scenario would be that you want to grant an application access to your AWS resources without exposing your AWS credentials.
Identity providers
Identity providers enables you to let users gain access to your AWS resources with the help of an external identity provider (IdP). You may have used an external identity providers in the past if you’ve used your GitHub or Facebook account to sign in to another website.
How Serverless uses IAM
The Serverless Framework needs a user with admin access to create the resources your Serverless application uses on your behalf.
Furthermore roles and policies are used to e.g. run your Lambda functions with the correct permissions.
