Using IAM Locally - Amazon Snowball Edge Developer Guide
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Using IAM Locally

Amazon Identity and Access Management (IAM) helps you securely control access to Amazon resources that run on your Amazon Snowball Edge device. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

IAM is supported locally on your device. You can use the local IAM service to create new users and attach IAM policies to them. You can use these policies to allow the access necessary to perform assigned tasks. For example, you can give a user the ability to transfer data, but limit their ability to create new Amazon EC2 instances.

Additionally, you can create local, session-based credentials using Amazon Security Token Service (Amazon STS) on your device. For information about the IAM service, see Getting started in the IAM User Guide.

Your device's root credentials can't be disabled, and you can't use policies within your account to explicitly deny access to the Amazon Web Services account root user. We recommend that you secure your root user access keys and create IAM user credentials for everyday interaction with your device.

Important

The documentation in this section applies to using IAM locally on an Amazon Snowball Edge device. For information about using IAM in the Amazon Web Services Cloud, see Identity and Access Management in Amazon Snowball.

For Amazon services to work properly on a Snowball Edge, you must allow the ports for the services. For details, see Ports Required to Use Amazon Services on an Amazon Snowball Edge Device.

Using the Amazon CLI and API Operations on Snowball Edge

When using the Amazon CLI or API operations to issue IAM, Amazon STS, Amazon S3, and Amazon EC2 commands on Snowball Edge, you must specify the region as "snow." You can do this using aws configure or within the command itself, as in the following examples.

aws configure --profile abc Amazon Access Key ID [None]: AKIAIOSFODNN7EXAMPLE Amazon Secret Access Key [None]: 1234567 Default region name [None]: snow Default output format [None]: json

Or

aws iam list-users --profile snowballEdge --endpoint http://192.0.2.0:6078 --region snow
Note

The access key ID and access secret key that are used locally on Amazon Snowball Edge can't be interchanged with the keys in the Amazon Web Services Cloud.

List of Supported IAM Amazon CLI Commands on a Snowball Edge

Following is a description of the subset of Amazon CLI commands and options for IAM that are supported on Snowball Edge devices. If a command or option isn't listed following, it's not supported. Unsupported parameters for commands are noted in the description.

  • attach-role-policy – Attaches the specified managed policy to the specified IAM role.

  • attach-user-policy – Attaches the specified managed policy to the specified user.

  • create-access-key – Creates a new local IAM secret access key and corresponding Amazon access key ID for the specified user.

  • create-policy – Creates a new IAM managed policy for your device.

  • create-role – Creates a new local IAM role for your device. The following parameters are not supported:

    • Tags

    • PermissionsBoundary

  • create-user – Creates a new local IAM user for your device. The following parameters are not supported:

    • Tags

    • PermissionsBoundary

  • delete-access-key – Deletes a new local IAM secret access key and corresponding Amazon access key ID for the specified user.

  • delete-policy – Deletes the specified managed policy.

  • delete-role – Deletes the specified role.

  • delete-user – Deletes the specified user.

  • detach-role-policy – Removes the specified managed policy from the specified role.

  • detach-user-policy – Removes the specified managed policy from the specified user.

  • get-policy – Retrieves information about the specified managed policy, including the policy's default version and the total number of local IAM users, groups, and roles to which the policy is attached.

  • get-policy-version – Retrieves information about the specified version of the specified managed policy, including the policy document.

  • get-role – Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.

  • get-user – Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

  • list-access-keys – Returns information about the access key IDs associated with the specified IAM user.

  • list-attached-role-policies – Lists all managed policies that are attached to the specified IAM role.

  • list-attached-user-policies – Lists all managed policies that are attached to the specified IAM user.

  • list-entities-for-policy – Lists all local IAM users, groups, and roles that the specified managed policy is attached to.

    • --EntityFilter: Only the user and role values are supported.

  • list-policies – Lists all the managed policies that are available in your local Amazon Web Services account. The following parameter is not supported:

    • --PolicyUsageFilter

  • list-roles – Lists the local IAM roles that have the specified path prefix.

  • list-users – Lists the IAM users that have the specified path prefix.

  • update-access-key – Changes the status of the specified access key from Active to Inactive, or vice versa.

  • update-assume-role-policy – Updates the policy that grants an IAM entity permission to assume a role.

  • update-role – Updates the description or maximum session duration setting of a role.

  • update-user – Updates the name and/or the path of the specified IAM user.

Supported IAM API Operations

Following are the IAM API operations that you can use with a Snowball Edge, with links to their descriptions in the IAM API Reference.

  • AttachRolePolicy – Attaches the specified managed policy to the specified IAM role.

  • AttachUserPolicy – Attaches the specified managed policy to the specified user.

  • CreateAccessKey – Creates a new local IAM secret access key and corresponding Amazon access key ID for the specified user.

  • CreatePolicy – Creates a new IAM managed policy for your device.

  • CreateRole – Creates a new local IAM role for your device.

  • CreateUser – Creates a new local IAM user for your device.

    The following parameters are not supported:

    • Tags

    • PermissionsBoundary

  • DeleteAccessKey– Deletes the specified access key.

  • DeletePolicy – Deletes the specified managed policy.

  • DeleteRole – Deletes the specified role.

  • DeleteUser – Deletes the specified user.

  • DetachRolePolicy – Removes the specified managed policy from the specified role.

  • DetachUserPolicy – Removes the specified managed policy from the specified user.

  • GetPolicy – Retrieves information about the specified managed policy, including the policy's default version and the total number of local IAM users, groups, and roles to which the policy is attached.

  • GetPolicyVersion – Retrieves information about the specified version of the specified managed policy, including the policy document.

  • GetRole – Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.

  • GetUser – Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

  • ListAccessKeys – Returns information about the access key IDs associated with the specified IAM user.

  • ListAttachedRolePolicies – Lists all managed policies that are attached to the specified IAM role.

  • ListAttachedUserPolicies – Lists all managed policies that are attached to the specified IAM user.

  • ListEntitiesForPolicy – Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

    • --EntityFilter: Only the user and role values are supported.

  • ListPolicies – Lists all the managed policies that are available in your local Amazon Web Services account. The following parameter is not supported:

    • --PolicyUsageFilter

  • ListRoles – Lists the local IAM roles that have the specified path prefix.

  • ListUsers – Lists the IAM users that have the specified path prefix.

  • UpdateAccessKey – Changes the status of the specified access key from Active to Inactive, or vice versa.

  • UpdateAssumeRolePolicy – Updates the policy that grants an IAM entity permission to assume a role.

  • UpdateRole – Updates the description or maximum session duration setting of a role.

  • UpdateUser – Updates the name and/or the path of the specified IAM user.

Supported IAM Policy Version and Grammar

Following is the local IAM support version 2012-10-17 of the IAM policy and a subset of the policy grammar.

Policy type Supported grammar
Identity-based policies (user/role policy) "Effect", "Action" and "Resource"
Note

Local IAM doesn't support "Condition", "NotAction", "NotResource" and "Principal".

Resource-based policies (role trust policy) "Effect", "Action" and "Principal"
Note

For Principal, only Amazon Web Services account ID or principal ID is allowed.

IAM Policy Examples

Note

Amazon Identity and Access Management (IAM) users need "snowballdevice:*" permissions to use the Amazon OpsHub for Snow Family application to manage Snow Family devices.

The following are examples of policies that grant permissions to a Snowball Edge device.

Example 1: Allows the GetUser call for a sample user through the IAM API

Use the following policy to allow the GetUser call for a sample user through the IAM API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:GetUser", "Resource": "arn:aws:iam:::user/example-user" } ] }

Example 2: Allows Full Access to the Amazon S3 API

Use the following policy to allow full access to the Amazon S3 API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

Example 3: Allows Read and Write Access to a Specific Amazon S3 Bucket

Use the following policy to allow read and write access to a specific bucket.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucket-name" }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": "arn:aws:s3:::bucket-name/*" } ] }

Example 4: Allows List, Get, and Put Access to a Specific Amazon S3 Bucket

Use the following policy to allow List, Get, and Put Access to a specific S3 bucket.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:List*" ], "Resource": "arn:aws:s3:::examplebucket/*" } ] }

Example 5: Allows Full Access to the Amazon EC2 API

Use the following policy to allow full access to Amazon EC2.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ] }

Example 6: Allows Access to Start and Stop Amazon EC2 Instances

Use the following policy to allow access to start and stop Amazon EC2 instances.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "*" } ] }

Example 7: Denies Calls to DescribeLaunchTemplates but Allows All Calls to DescribeImages

Use the following policy to deny calls to DescribeLaunchTemplates but allow all calls to DescribeImages.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:DescribeLaunchTemplates" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": "*" } ] }

Example 8: Policy for API Calls

Lists all the managed policies that are available on your Snow device, including your own customer-defined managed policies. More details in list-policies.

aws iam list-policies --endpoint http://ip-address:6078 --profile snowballEdge --region snow { "Policies": [ { "PolicyName": "Administrator", "Description": "Root user admin policy for Account 123456789012", "CreateDate": "2020-03-04T17:44:59.412Z", "AttachmentCount": 1, "IsAttachable": true, "PolicyId": "policy-id", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456789012:policy/Administrator", "UpdateDate": "2020-03-04T19:10:45.620Z" } ] }

TrustPolicy Example

A trust policy returns a set of temporary security credentials that you can use to access Amazon resources that you might normally not have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole in your account for cross-account access.

The following is an example of a trust policy. For more information about trust policy, see AssumeRole in the Amazon Security Token Service API Reference.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::AccountId:root" //You can use the Principal ID instead of the account ID. ] }, "Action": [ "sts:AssumeRole" ] } ] }