1. Granting IAM role permissions to AWS services

    TypeScript

    Granting IAM role permissions to AWS services involves a few steps with Pulumi. Below, we'll write a Pulumi program in TypeScript to demonstrate how to create an IAM role and attach a managed policy to it. This will allow you to grant specific permissions to AWS services.

    To create an IAM role and attach policies, we typically use the following resources:

    • aws.iam.Role: Defines the IAM role which AWS entities can assume.
    • aws.iam.RolePolicyAttachment: Attaches a managed policy to an IAM role to define permissions.

    Here's a detailed breakdown of the following Pulumi program:

    1. Import AWS package: We start by importing the necessary Pulumi AWS package, which contains the classes and functions for interacting with AWS resources.
    2. Create IAM Role: We define an IAM role using new aws.iam.Role. This role will have a trust relationship policy that allows AWS services to assume this role. The trust policy is specified in the assumeRolePolicy argument.
    3. Attach IAM Policy to Role: We use new aws.iam.RolePolicyAttachment to attach an existing AWS managed policy to the role. In this example, we'll attach the Amazon EC2 ReadOnlyAccess policy, which grants read-only access to EC2 resources.

    Let's go through the process with a Pulumi program:

    import * as aws from "@pulumi/aws"; // Create an IAM role for an AWS service, for example, EC2 instances. const role = new aws.iam.Role("myRole", { // The trust relationship policy document that grants an entity permission to assume the role. assumeRolePolicy: JSON.stringify({ Version: "2012-10-17", Statement: [{ Action: "sts:AssumeRole", Effect: "Allow", Principal: { Service: "ec2.amazonaws.com", // This allows EC2 instances to assume this role }, }], }), }); // Attach a managed policy to the role. // 'AmazonEC2ReadOnlyAccess' provides read-only access to EC2 resources, which is a common use case. const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("myRolePolicyAttachment", { role: role.name, // reference to the created role policyArn: "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", // the ARN of the policy to attach }); // Export the role name and ARN export const roleName = role.name; export const roleArn = role.arn;

    In this program, you define an IAM role with a trust policy that allows EC2 instances to assume it ("Service": "ec2.amazonaws.com"). Then, you attach a read-only policy to the role, which is suitable for tasks that require read access to EC2 resources.

    To run this Pulumi code, save it in a TypeScript file (e.g., index.ts) within a Pulumi project, and run pulumi up in the terminal while in the project's directory. This will prompt Pulumi to create the specified resources within your configured AWS account.

    This is a basic example that creates one role and attaches a single policy to it. In a real-world scenario, you might want to attach multiple policies or define inline policies for finer-grained permissions. You can also customize the trust policy to grant permission to different AWS services or accounts to assume the role.

    Remember to ensure that your AWS credentials are configured for Pulumi using environment variables or the AWS configuration file, and that you have the necessary permissions to create and manage IAM roles and policies.