We have a CI/CD-runner with a certain set of IAM permissions. We would like to allow that runner to modify specific permissions of a particular IAM role, respectively modify a particular policy within certain borders. It should only be permitted to, e.g., add or remove resources to/from a set of "athena:..." actions or modify the permissions in the "athena:..." action space. It must not be allowed to add or modify, say, "iam:..." permissions for that particular role.
Is it possible to limit a role in such a way that only specific modifications to another role's policy are allowed?
I'll try to restate in order to check if I understood correctly.
You have a CICD agent (let's call it CICDUser) that can assume a role with some policies and a Runner (let's call it RunnerUser) which performs actions on the AWS platform.
You want to allow CICDUser to modify RunnerUser's IAM permissions within predefined boundaries (in terms of actions and resources).
To do that, I suggest the following approach:
Step 1 - Create Runner's policy boundaries (let's call it RunnerBoundaries) and attach it to the RunnerUser. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "athena:*",
"Resource": [
"arn:aws:athena:eu-central-1:012345678910:datacatalog/catalog-name-1",
"arn:aws:athena:eu-central-1:012345678910:datacatalog/catalog-name-2"
]
}
]
}
In this example, you are allowing RunnerUser to have maximum privileges only on catalog-name-1 and catalog-name-2 actions (but the actual allowed actions will be set by the following policy).
Step 2 - Create Runner's policy (let's call it RunnerPolicy) for actual permissions and attach it to RunnerUser. Even if you give give Administrator access to the RunnerUser here, everything will be bounded on the RunnerBoundaries.
Step 3 - Allow the CICDUser to update (only) RunnerPolicy document. Every update will be bounded to the RunnerBoundaries document in terms of actions and resources like in point 2. You can give CICDUser this permission with a CICDPolicy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
"iam:CreatePolicyVersion"
],
"Resource": "arn:aws:iam::012345678910:policy/RunnerPolicy"
}
]
}
In this way, CICDUser will be able to modify only the RunnerPolicy.
You can do a lot of thing in many different ways using the combination of Policies + Boundaries + Roles. Follow this documentation for more details.
Disclaimer: I'm working in AWS, but this is not to be considered an official AWS answer, it's just my point of view. I didn't tested this examples fully and everything I've reported must be validated properly before using it.