undefined | Better HN

zbruhnke6y ago· 2 in thread

Not OP but pretty sure they just mean this

`aws s3api create-bucket --bucket somecoolname --region us-west-2 --grant-write iamuser`

aeternum6y ago

And now a single user has access, such scalability!

zbruhnke6y ago

Well technically this could also be a group.

I don’t know why all the hate for IAM permissions here.

They are complicated but also extremely powerful if setup correctly.

We manage all of our IAM policies and groups with terraform and it’s incredibly easy to understand imho

1 more reply

013a6y ago· 1 in thread

Well, you'll have a two-hundred line IAM policy and a half-dozen API calls encoded into a script, but once you have that script its just one step! All you do is run the script!

giancarlostoro6y ago

And if something in the script goes wrong midway through, you've automated a big mess! I love it!

Really should, I've always thought AWS was just a bunch of hacked together services and it kinda shows. This is why you don't let the engineers talk to the customers... er design for the customers.

kmcquade6y ago

With this.

https://github.com/salesforce/policy_sentry

(Disclaimer: I am the author)

Not one step exactly, but it is by far the easiest way to write least privilege IAM policies. Otherwise, it becomes impossible to ensure IAM policies are written securely and at scale. This way, all custom IAM policies are written with the exact same methodology.

0 comments

0 comments