Using Identity-Based Policies (IAM Policies) for Amazon Cloud Map
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities (users, groups, and roles) and thereby grant permissions to perform actions on Amazon Cloud Map resources.
We recommend that you first review the introductory topics that explain the basic concepts and options to manage access to your Amazon Cloud Map resources. For more information, see Overview of Managing Access Permissions to Your Amazon Cloud Map Resources.
Topics
The following example shows a permissions policy that grants a user permission to register,
deregister, and register service instances. The Sid, or statement ID, is
optional:
{ "Version": "2012-10-17", "Statement": [ { "Sid" : "AllowInstancePermissions", "Effect": "Allow", "Action": [ "servicediscovery:RegisterInstance", "servicediscovery:DeregisterInstance", "servicediscovery:DiscoverInstances", "servicediscovery:Get*", "servicediscovery:List*", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:GetHealthCheck", "route53:DeleteHealthCheck", "route53:UpdateHealthCheck", "ec2:DescribeInstances" ], "Resource": "*" } ] }
The policy grants permissions to the actions that are required to register and manage
service instances. The Route 53 permission is required if you're using public or private DNS
namespaces because Amazon Cloud Map creates, updates, and deletes Route 53 records and health checks when
you register and deregister instances. The wildcard character (*) in Resource grants
access to all Amazon Cloud Map instances, and Route 53 records and health checks that are owned by the
current Amazon account.
For a list of actions and the ARN that you specify to grant or deny permission to use each action, see Amazon Cloud Map API Permissions: Actions, Resources, and Conditions Reference.
Permissions Required to Use the Amazon Cloud Map Console
To grant full access to the Amazon Cloud Map console, you grant the permissions in the following permissions policy:
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:*", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:ChangeResourceRecordSets", "route53:CreateHealthCheck", "route53:GetHealthCheck", "route53:DeleteHealthCheck", "route53:UpdateHealthCheck", "ec2:DescribeInstances", "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource":"*" } ] }
Here's why the permissions are required:
servicediscovery:*-
Lets you perform all Amazon Cloud Map actions.
route53:CreateHostedZone,route53:GetHostedZone,route53:ListHostedZonesByName,route53:DeleteHostedZone-
Lets Amazon Cloud Map manage hosted zones when you create and delete public and private DNS namespaces.
route53:CreateHealthCheck,route53:GetHealthCheck,route53:DeleteHealthCheck,route53:UpdateHealthCheck-
Lets Amazon Cloud Map manage health checks when you include Amazon Route 53 health checks when you create a service.
ec2:DescribeVpcsandec2:DescribeRegions-
Let Amazon Cloud Map manage private hosted zones.
Amazon Managed (Predefined) Policies for Amazon Cloud Map
Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see Amazon Managed Policies in the IAM User Guide. For Amazon Cloud Map, IAM provides the following managed policies:
-
AWSCloudMapDiscoverInstanceAccess – Grants access to the Amazon Cloud Map DiscoverInstances API action
-
AWSCloudMapReadOnlyAccess – Grants read-only access to all Amazon Cloud Map actions
-
AWSCloudMapRegisterInstanceAccess – Grants read-only access to namespaces and services, and grants permission to register and deregister service instances
-
AWSCloudMapFullAccess – Provides full access to all Amazon Cloud Map actions
Customer Managed Policy Examples
You can create your own custom IAM policies to allow permissions for Amazon Cloud Map actions. You can attach these custom policies to the IAM users or groups that require the specified permissions. These policies work when you are using the Amazon Cloud Map API, the Amazon SDKs, or the Amazon CLI. The following examples show permissions for several common use cases. For the policy that grants a user full access to Amazon Cloud Map, see Permissions Required to Use the Amazon Cloud Map Console.
Examples
Example 1: Allow Read Access to All Amazon Cloud Map Resources
The following permissions policy grants the user read-only access to all Amazon Cloud Map resources:
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:Get*", "servicediscovery:List*", "servicediscovery:DiscoverInstances" ], "Resource":"*" } ] }
Example 2: Allow Creation of All Types of Namespaces
The following permissions policy allows users to create all types of namespaces:
{ "Version": "2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "servicediscovery:CreateHttpNamespace", "servicediscovery:CreatePrivateDnsNamespace", "servicediscovery:CreatePublicDnsNamespace", "route53:CreateHostedZone", "route53:GetHostedZone", "route53:ListHostedZonesByName", "ec2:DescribeVpcs", "ec2:DescribeRegions" ], "Resource":"*" } ] }
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Creating a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Creating a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-