List all grantable roles in my GCP environment - bash

I'm a newbie and was looking for some help.
How do I list all grantable roles within my GCP environment at the organization level?
I am using...
gcloud iam list-grantable-roles
but everywhere I read it says I must specify the resource I want to check. I want it to check all resources.
Thank you for help!

Roles can be used in two ways. Applied to identities and applied to resources. When applied to resources (your example) you must specify the resource because resources only support a subset of all possible roles. For example, it makes no sense to apply a Compute Engine role to a Cloud Storage object.
To list all possible roles for an organization:
gcloud iam roles list --organization ORG_ID

Related

Assign specific roles based on AD groups using AZ cli

I'm trying to assign roles in Azure based on existing AD groups. Need to use bash script for this task. For a given AD group, I've pre-defined set of roles. Looking for an efficient and simple way of doing this.
Any help or pointers would be greatly appreciated.
Thank you,
Ram

AWS Federated User Mapping

I am trying to identify which active directory users are able to federate to AWS IAM roles. Where is the mapping from Windows Active Directory to IAM Roles stored? Is this stored within IAM or a file outside of AWS?
I have identified the AWS roles which are federated to but can't identify which active directory users are able to log in using those roles.
There is no way to get this information from AWS. This mapping is done in your SAML solution. It is common to map AWS role with AD group, if you know the group you can see who is member, these members are the ones with access to this role.

Provision AWS Account Programmatically?

I am trying to see if anyone knows if it is possible to provision an AWS account straight from code? I have looked at the SDK and API reference but I am not seeing anything. It would be something similar to the way http://qwiklab.com/ provisions a new account for a user for training purposes.
Creating a new AWS acount requires voice verification. AWS actually calls you to confirm. What you can do is create AWS IAM users and allocate very specific permissions within your Amazon VPC for these users. For example you can say users in group "A" can only launch AMIs tagged as "development" and only in a specific subnet. You can be somewhat granular in the permissions you allocate to IAM users/groups. Here is a list of actions you can specify for EC2 resources:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
Here is some general guidance on setting up control within your VPC:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html
The examples there can potentially serve as a good starting point for what you are trying to accomplish.

What are the possible capabilities of IAM in AWS?

One of my clients wants to understand IAM feature before migrating business application to Amazon cloud.
I have figured out two use cases which we can recommend to our client, these are:
Resource-Level Permissions for EC2
• Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
• Control which users can terminate which instances.
• Restricting a user access to a single EC2 instance ( currently not supported by amazon API’s)
IAM Roles for Amazon ec2 resources
Command Line Usage
• Unix/Linux/Windows - Use the AWS Command Line Interface, which is a unified tool to manage the AWS services. We can access the Command Line Interface using the EC2 instance launched with IAM role support without specifying the credentials explicitly.
Programmatic Usage
• Use the appropriate AWS SDK for your language of choice. Configure it without specifying the credentials.
I would like to know other capabilities of IAM which we can recommend to our client and other use cases which you can recommend to us. Please let us know if any further explanation is required.
Any prompt response will be highly appreciated.
Thanks in advance
This is a very useful feature of AWS !
User Management - If you are a large team, you will have to give different users (or developers/testing, deployment) different type of permissions. Access levels like (say S3 read-only, DynamoDB full-access etc).
Manage Users : http://aws.amazon.com/iam/details/manage-users/
Not to keep credentials in code. Is you use IAM roles, you can mention that say an EC2 should work on this role. This will help you achieve things like "cluster with only access to S3, not DB")
IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Handle Release staging. This is a benefit from the ROLE. You move apps from dev, qa, staging and prod. I usually keep different accounts for this. In this case, if you configure the EC2 to run on roles, then the stage difference can be handled witout code change. Just move the build from one account to another, and it works with no risk!
Lot of other benefits;
Product Details : http://aws.amazon.com/iam/details/

Allow access to Amazon AWS console using IAM

Is it possible to setup separate accounts using Amazon's IAM service what would allow two different users to access the Amazon web dashboard/console? I'd like a separate account that can access these pages but I'd prefer not to have to give away the keys to the kingdom to do so.
If so can IAM policies be specified to allow restrict what the user can do with the console?
I've written a short howto on adding an ec2 user, it is similar for most policies.
URL:
http://www.corbettbaker.com/blog-posts/creating-aws-user-ec2-only-permissions
Basically, replace ec2user with whatever you want the user name to be.
-CB

Resources