Menu
I'm trying to configure an s3 bucket, thats generated by serverless, to restrict put access by IP.
Looking at this documentation for AWS
I assume what I want is PolicyDocument but I also see AssumeRolePolicyDocument. And sometimes they appear to be used in conjunction.
What are the differences between these two properties?
814
A policy document is nothing but a set of permissions to allow/deny access to AWS resources. This policy can be attached to users/roles/groups. If this policy is attached to roles/groups, the users to which the roles are attached (or) the list of the users in the group will have the permissions defined in the policy. (For example, having EC2 or VPC access etc...)
An AssumeRolePolicy is provided in a role to help enabling trust relationship for other AWS services/AWS accounts to consume this role and gain permissions.
For example, Lambda will need an IAM role to be attached to define all the permissions it requires for its execution.
A normal IAM role cannot be attached to lambda since no trust relationship is defined i.e., the role does not allow it to be consumed by Lambda. Once a trust relation is added for lambda, the role can be attached to lambda thereby gaining permissions defined.
The same will also apply for cross account access if an account id is used as principal instead of lambda service, where using a role in account A, one can gain access for permissions defined in role B (meaning you can access account B with access of account A if trust is established)
In trust relationship, the assume role is using Security Token Service (STS) where temporary credentials are provided for accessing the AWS resources.
Hope this helps !!!
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
