7

Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.

Shankar S
  • 387
  • 5
  • 13
Ethan
  • 707
  • 3
  • 8
  • 17
  • have you able to find the solutions for this – Nitin Goyal Sep 18 '20 at 06:37
  • did you find an solution? here's an idea: create a S3 bucket and objects for each custom action. eg: /todo/read /todo/write and then use the s3:GetObject to allow/deny access to those objects. – tripod Feb 10 '22 at 14:23
  • This is a very old question, but any news on this? Has this ever been tried by someone? – Stefan Haberl Feb 22 '22 at 09:09
  • I also need the same thing, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "myResource:MyAction", "MyResource:MyAction2" ], "Resource": "*" } ] } – Shankar S Mar 28 '23 at 15:51

4 Answers4

2

I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).

As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.

I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.

Jon Nichols
  • 2,211
  • 1
  • 20
  • 21
  • Did someone try creating custom actions and policy evaluator? I am looking for the exactly that thing, I need to create a Role with Custom policy with Custom actions, myservice:myAction. – Shankar S Mar 28 '23 at 15:49
0

The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.

You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.

vredrav
  • 61
  • 1
  • 3
0

Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources. If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.

connect-on-premise-python-application-with-aws

The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.

TheAshwaniK
  • 1,706
  • 1
  • 14
  • 15
0

Consider placing API Gateway in front of your Python app's routes.

Then you could control access using IAM.

jarmod
  • 71,565
  • 16
  • 115
  • 122