I'm trying to assign roles in Azure based on existing AD groups. Need to use bash script for this task. For a given AD group, I've pre-defined set of roles. Looking for an efficient and simple way of doing this.
Any help or pointers would be greatly appreciated.
Thank you,
Ram
Related
Can aws cli be used to grant a quicksight group (such as viewer or owner) to a quicksight folder? I can't seem to find the specific cli command.
Thanks
Yes you can do this using the update-folder-permissions api call https://docs.aws.amazon.com/cli/latest/reference/quicksight/update-folder-permissions.html
It might help to first use the list-folder-permissions on existing folders to determine the correct structure for the --grant-permissions list
I'm a newbie and was looking for some help.
How do I list all grantable roles within my GCP environment at the organization level?
I am using...
gcloud iam list-grantable-roles
but everywhere I read it says I must specify the resource I want to check. I want it to check all resources.
Thank you for help!
Roles can be used in two ways. Applied to identities and applied to resources. When applied to resources (your example) you must specify the resource because resources only support a subset of all possible roles. For example, it makes no sense to apply a Compute Engine role to a Cloud Storage object.
To list all possible roles for an organization:
gcloud iam roles list --organization ORG_ID
I need to remove a certain Amazon QuickSight user but before that I need to get a list of any resources they may own. Any suggestions on how that can be done?
Thank you!
I'm also looking for how to do this. I've found that you can use search_* functions in the boto3 library to find analyses and dashboards.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/quicksight.html#QuickSight.Client.search_analyses
I am writing a serverless application which is connected to DynamoDB.
Currently I am reading the access key ID and security access key from a json file.
I am going to use Jenkins for CI and need a way to secure these keys.
What I am going to do is setting the keys as environmental variables and read them in the application. But the problem is I don't know how to set the environmental variables every time a lambda function is started.
I have read there's a way to configure this in serverless.yml file, but don't know how.
How to achieve this?
Don't use environment variables. Use the IAM role that is attached to your lambda function. AWS Lambda assumes the role on your behalf and sets the credentials as environment variables when your function runs. You don't even need to read these variables yourself. All of the AWS SDKs will read these environment variables automatically.
There's a good guide on serverless security, which among other topics, cover this one as well. It's similar to the OWASP top 10:
In general, the best practice would be to use the AWS Secrets Manager, together with SSM parameter store.
One of my clients wants to understand IAM feature before migrating business application to Amazon cloud.
I have figured out two use cases which we can recommend to our client, these are:
Resource-Level Permissions for EC2
• Allow users to act on a limited set of resources within a larger, multi-user EC2 environment.
• Control which users can terminate which instances.
• Restricting a user access to a single EC2 instance ( currently not supported by amazon API’s)
IAM Roles for Amazon ec2 resources
Command Line Usage
• Unix/Linux/Windows - Use the AWS Command Line Interface, which is a unified tool to manage the AWS services. We can access the Command Line Interface using the EC2 instance launched with IAM role support without specifying the credentials explicitly.
Programmatic Usage
• Use the appropriate AWS SDK for your language of choice. Configure it without specifying the credentials.
I would like to know other capabilities of IAM which we can recommend to our client and other use cases which you can recommend to us. Please let us know if any further explanation is required.
Any prompt response will be highly appreciated.
Thanks in advance
This is a very useful feature of AWS !
User Management - If you are a large team, you will have to give different users (or developers/testing, deployment) different type of permissions. Access levels like (say S3 read-only, DynamoDB full-access etc).
Manage Users : http://aws.amazon.com/iam/details/manage-users/
Not to keep credentials in code. Is you use IAM roles, you can mention that say an EC2 should work on this role. This will help you achieve things like "cluster with only access to S3, not DB")
IAM Roles for Amazon EC2 - Amazon Elastic Compute Cloud : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Handle Release staging. This is a benefit from the ROLE. You move apps from dev, qa, staging and prod. I usually keep different accounts for this. In this case, if you configure the EC2 to run on roles, then the stage difference can be handled witout code change. Just move the build from one account to another, and it works with no risk!
Lot of other benefits;
Product Details : http://aws.amazon.com/iam/details/