AWS Roles¶

IAM Roles are policy-based tokens with temporary credentials allowing a user temporary access, to AWS services and actions which the user is normally not permitted to access. These users may be from different projects or even different accounts. These roles can also be embedded into specific instances allowing these instances access to the necessary actions.

Important

The AWS IAM roles are independent of the three Zadara Cloud Services roles, Admin, Tenant Admin and Member which together with Zadara Cloud Services policies grant access to Zadara Cloud Services services and actions.

The AWS IAM role consists of the following:

Permissions document which give access to certain Zadara Cloud Services supported AWS services or actions.
Trust policy document that defines the relationship between user per project and this role.
1. This nature of the relationship may be ‘allow’ which grants permission to the specified users to assume the role, or ‘deny’ which prevents these users from assuming the role..
2. This permission may be granted to multiple users of the same projects, different projects within the same account, or even users of different accounts.
The maximum session duration that can be requested when assuming this role.

For information about working with AWS IAM roles, see the following:

Creating an AWS IAM Role¶

In the Identity & Access > AWS Roles view, click on Create. The Create Role > Details step window is displayed.
1. Name - Enter the name of the role.
2. Description - Enter its description (Optional).
3. Project - Select the project which owns the role.
4. Max. Session Duration - Enter the maximum amount of time (in seconds) that a user can assume this role. Default: 3600 seconds (1 hour). Maximum: 12 hours (43,200 second)
5. Policies - Select one or more managed policies which define the permissions of this role.
6. Click Next.
This displays the Allow Assuming step, the part of the Trust Policy in which the user(s) who can assume this role are defined.
1. User/Any - Determine whether you want to select a specific User user of a specific project or Any user of a specific project.
2. Project - Select the project by which to identify the user(s).
3. Name - If you selected User above, select the specific user assigned to the Project. (If you selected Any above, this field will not appear.)
4. Add button (above the users) - Click Add to define additional users.
5. Click Next.
This displays the Deny Assuming ** step, the part of the Trust Policy in which the user(s) who are prevented from assuming this role are defined These users are defined in the same way as in the previous step. **Note: If the same user in the context of the same project is defined both as being allowed to assume a role and is also denied the right to assume this role, whether within the same role or across different roles, then the ‘Deny’ prevails.
Click Finish. The new role will appear in the Identity & Access > AWS Roles view. Click on the name of the newly created role. This will display the following three tabs:
1. Events The role’s Max. Session Duration is displayed in its corresponding column in the Identity & Access > AWS Roles view
2. Attached Policies - which lists all of the AWS API policies attached to this role..
3. Trust Policy - which lists all of the entities allowed to assume this role, or denied permissions to assume this rule.

Assuming an AWS IAM Role via the CLI¶

When an AWS IAM role has been created and a policy has been attached to it, the role can be assumed via the Zadara Cloud Services CLI. This in turn will generate the credentials which you need to access the AWS services and actions defined in the role. But in order to assume a role you must know its ID.

Find the AWS IAM roles that you can assume
1. Run role iam-list:
  
  Zadara Cloud Services @ cloud_admin/default > role iam-list
  
  If you are a Member or Tenant Admin user, it returns a list of any roles created in the currently logged-in project, together with the IDs of all users who can assume these role(s).
2. To check if the entity_ids for any of the users is yours run the following command:
  
  Zadara Cloud Services @ cloud_admin/default > user get-my-details
  
  This will display your user_id along with your user_name.
3. Whether or not you have discovered any AWS IAM roles available to you, you may have available roles which are not visible to you. To verify that you have the complete list of roles available to you it is recommended that an Admin user, do the following:
  - List all of the AWS IAM Roles
    Zadara Cloud Services @ cloud_admin/default > role iam-list
    All AWS IAM roles in the account will be displayed with the IDs of all users to which these roles are available.
  - List all of the users
    Zadara Cloud Services @ cloud_admin/default > user list
    This will display all of the users in the account with their names and IDs. It will now be possible to discover which roles are available for which users.

Once you have the Role-ID, you can assume the AWS IAM role via the ‘role assume-role role_id session_name’ command, where role_id is supplied in the output above, and session_name is selected by the user.

Zadara Cloud Services @ cloud_admin/default > role assume-role 565197da-2f13-48dc-b232-bdffc756b7f9 Session-1

This returns the following information:

===================== ====================================
**access_key_id**     23515d96a5da4408821783e0b9aa6ff1

**created_at**        2019-03-10T20:55:42Z

**duration_seconds**  3600

**expires_at**        2019-03-10T21:55:42Z

**external_id**       none

**policy_id**         none

**project_id**        fc268815422e471da6756c7918b03d01

**role_assumer**      5120ef807769455b822095497b55ffac

**role_id**           565197da-2f13-48dc-b232-bdffc756b7f9

**role_name**         Role-2

**secret_access_key** 94d8a61f419b4edbb638abc399e7a420

**session_name**      Session-1

**token**             cd9b0253e0034cdd976c21c317c
===================== ====================================

Use the access_key_id, secret_access_key and token to access the AWS services and actions.

Modifying an AWS IAM Role¶

When modifying an AWS IAM Role, you may change:

The maximum time a role can be assumed
The policies which define which permissions are granted or denied.
The description of the role

You cannot change:

The project for which this role is defined
The users who may assume this rule
The users who are prevented from assuming this role

To modify an AWS IAM role:

On the Identity & Access > AWS Roles view, highlight a specific role, and click Modify. This pops-up the Modify Role dialog box.
1. Max. Session Duration - Modify the maximum amount of time (in seconds) that a user can assume this role. Default: 3600 seconds (1 hour). Maximum: 12 hours (43,200 seconds).
2. Policies - Add or remove one or more managed policies which define the permissions of this role.
3. Description - Modify the role’s description.
Click OK to save the changes. The changes in the role will be displayed as follows:
1. Max. Session Duration - The role’s Max. Session Duration is displayed in the corresponding column in the Identity & Access > AWS Roles view
2. Policies - The role’s policies are displayed In the Attached Policies **tab.found on the **Identity & Access > AWS Roles > view for the requested role.

Deleting an AWS IAM Role¶

Important

A Role cannot be deleted if policies are attached to it.

In the Identity & Access > AWS Roles view, highlight a specific role, and click Delete. This pops-up the Delete Role alert.
Click OK to confirm. The role will be removed from the Identity & Access > AWS Roles view.

Instance Profiles

An instance profile is a container for an AWS IAM role. It can be used to pass role information to an EC2 instance when the instance starts. When an AWS IAM role, embedded in an Instance profile, becomes attached to an instance, its credentials become permanent.

The following actions can be performed with Instance profiles:

Adding an AWS IAM Role into an Instance¶

Via Instance Profiles it is possible to grant permissions to an instance to access specific Zadara Cloud Services-supported AWS services. Although, in the context of a user, role permissions are temporary, in the context of an instance, the application is guaranteed to have credentials as long as the instance-profile is attached to the instance, and that instance-profile has a role embedded in it.

From the Zadara Cloud Services GUI, create an AWS IAM role together with its AWS IAM policy document and trust policies.

Note

This must be performed by an Admin user or a Tenant Admin user.

Using the Zadara Cloud Services CLI command, ‘instance-profile create name’, create an instance profile.

Note

This command may be performed by any user.

Zadara Cloud Services @ cloud_admin/default > instance-profile create instance-profile-1

This command returns basic details about the newly created instance-profile, instance-profile -1.

============== ====================================
**id**         dd56d017-0167-42b7-a130-8706d746493e
**name**       instance-profile-1
**created_at** 2019-03-11T02:58:30Z
**path**       /
**project_id** 4331358dff9b4c29aa53c982e92801f6
**roles**      []
============== ====================================

Find the AWS IAM roles that you can embed in the Instance profile
1. Run role iam-list:
```
Zadara Cloud Services @ cloud_admin/default > role iam-list
```
  If you are a Member or Tenant Admin user, it returns a list of any roles created in the currently logged-in project, together with the IDs of all users who can assume these role(s), as shown below.
  
  Note
  
  If you are assigned to more than one project, you must login to each project and run ‘role iam-list’ to get the complete list of roles available to you.
2. To check if the entity_ids for any of the users is yours run the following command:
```
Zadara Cloud Services @ cloud_admin/default > user get-my-details
```
  This will display your user_id along with your user_name.
Embed the role in the instance profile with the Zadara Cloud Services CLI command ‘instance-profile add-role instance_profile-id role_id’, as follows: (Take the instance_profile_id from step 2 and the role_id from step 3.) Note: This command can be performed by a Member or Tenant admin if the project of the role is the same as the logged-in project.
```
Zadara Cloud Services @ cloud_admin/default > instance-profile add-role **dd56d017-0167-42b7-a130-8706d746493e**  **565197da-2f13-48dc-b232-bdffc756b7f9**
```
From the Symphony GUI, create an instance.

Note

If you create this instance from the CLI, you can add the instance-profile on creation. This will remove the need for steps 6 and 8.
From the Zadara Cloud Services CLI using the CLI command “vm list” locate the ID of the instance that you just created.
Since the instance profile operation is very sensitive to network latency and cluster load, the system may time out before finishing the operation. It is therefore recommended to increase the timeout on the metadata service connection and/or allow retries. These can be configured inside the VM that is connected to the instance-profile by setting the following environment vars:
```
AWS_METADATA_SERVICE_TIMEOUT >1
AWS_METADATA_SERVICE_NUM_ATTEMPTS >1
```
Using the Zadara Cloud Services CLI command ‘vm update –instance-profile INSTANCE_PROFILE vm_id” attach the instance profile to the instance you just created, as follows: (Take the instance_profile_id from step 2 and the vm_id from step 6.) Note: The role and VM must be defined for the same project. A Member user and Tenant Admin user can perform this command if they are logged in to the same project as that of the role and VM.
```
Zadara Cloud Services @ cloud_admin/default > vm update -**-instance-profile** **dd56d017-0167-42b7-a130-8706d746493e d6ca69e7-1533-4740-9881-395d442719f5**
```

Working with Instance Profiles via the CLI¶

To create an instance profile enter the following command:
```
Zadara Cloud Services @ Account-1/Project-1 > instance-profile get <name of instance-profile>
```
A variety of details about this instance profile will be displayed, including it’s ID
To add an AWS IAM role to an instance profile:
1. Procure the role-id via the following command
```
Zadara Cloud Services @ Account-1/Project-1 > role iam-list
```
  The list of all IAM roles will be displayed, together with their IDs.
2. Using the ID of the desired instance profile, returned from the first command above, enter the following command:
```
Zadara Cloud Services @ Account-1/Project-1 > instance-profile add-role <instance_profile_id> <role_id>
```
  Only one role can be added to an instance profile.

To remove an AWS IAM role from an instance profile, enter the following command:

Zadara Cloud Services @ Account-1/Project-1 > instance-profile remove-role <instance_profile_id> <role_id>

To retrieve the entire list of Instance profiles in the cluster enter the following command:
```
Zadara Cloud Services @ Account-1/Project-1 > instance-profile list
```
The list of all instance profiles will be displayed, together with their IDs.
To remove an Instance profile:

Using the ID of the desired instance profile, retrieved in the fourth command above, enter the following command:
```
Zadara Cloud Services @ Account-1/Project-1 > instance-profile remove <instance_profile_id>
```
To retrieve information about a specific instance profile: Using the ID of the desired instance profile, retrieved in the fourth command above, enter the following command:
```
Zadara Cloud Services @ Account-1/Project-1 > instance-profile get <instance_profile_id>
```

A variety of details about this instance profile including its ID, will be displayed.