Using IAM locally on a Snowball Edge - AWS Snowball Edge Developer Guide
Using the AWS CLI and API OperationsSupported IAM AWS CLI Commands IAM policy examples on Snowball EdgeTrustPolicy example on a Snowball Edge

Using IAM locally on a Snowball Edge

AWS Identity and Access Management (IAM) helps you securely control access to AWS resources that run on your AWS Snowball Edge device. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

IAM is supported locally on your device. You can use the local IAM service to create new users and attach IAM policies to them. You can use these policies to allow the access necessary to perform assigned tasks. For example, you can give a user the ability to transfer data, but limit their ability to create new Amazon EC2-compatible instances.

Additionally, you can create local, session-based credentials using AWS Security Token Service (AWS STS) on your device. For information about the IAM service, see Getting started in the IAM User Guide.

Your device's root credentials can't be disabled, and you can't use policies within your account to explicitly deny access to the AWS account root user. We recommend that you secure your root user access keys and create IAM user credentials for everyday interaction with your device.

Important

The documentation in this section applies to using IAM locally on an AWS Snowball Edge device. For information about using IAM in the AWS Cloud, see Identity and Access Management in AWS Snowball.

For AWS services to work properly on a Snowball Edge, you must allow the ports for the services. For details, see Port requirements for AWS services on a Snowball Edge.

Using the AWS CLI and API Operations on a Snowball Edge

When using the AWS CLI or API operations to issue IAM, AWS STS, Amazon S3, and Amazon EC2 commands on Snowball Edge, you must specify the region as "snow." You can do this using aws configure or within the command itself, as in the following examples.


aws configure --profile abc
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: 1234567
Default region name [None]: snow
Default output format [None]: json

Or


aws iam list-users --profile snowballEdge --endpoint http://192.0.2.0:6078 --region snow
Note

The access key ID and access secret key that are used locally on AWS Snowball Edge can't be interchanged with the keys in the AWS Cloud.

List of Supported IAM AWS CLI Commands on a Snowball Edge

Following is a description of the subset of AWS CLI commands and options for IAM that are supported on Snowball Edge devices. If a command or option isn't listed following, it's not supported. Unsupported parameters for commands are noted in the description.

  • attach-role-policy – Attaches the specified managed policy to the specified IAM role.

  • attach-user-policy – Attaches the specified managed policy to the specified user.

  • create-access-key – Creates a new local IAM secret access key and corresponding AWS access key ID for the specified user.

  • create-policy – Creates a new IAM managed policy for your device.

  • create-role – Creates a new local IAM role for your device. The following parameters are not supported:

    • Tags

    • PermissionsBoundary

  • create-user – Creates a new local IAM user for your device. The following parameters are not supported:

    • Tags

    • PermissionsBoundary

  • delete-access-key – Deletes a new local IAM secret access key and corresponding AWS access key ID for the specified user.

  • delete-policy – Deletes the specified managed policy.

  • delete-role – Deletes the specified role.

  • delete-user – Deletes the specified user.

  • detach-role-policy – Removes the specified managed policy from the specified role.

  • detach-user-policy – Removes the specified managed policy from the specified user.

  • get-policy – Retrieves information about the specified managed policy, including the policy's default version and the total number of local IAM users, groups, and roles to which the policy is attached.

  • get-policy-version – Retrieves information about the specified version of the specified managed policy, including the policy document.

  • get-role – Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.

  • get-user – Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

  • list-access-keys – Returns information about the access key IDs associated with the specified IAM user.

  • list-attached-role-policies – Lists all managed policies that are attached to the specified IAM role.

  • list-attached-user-policies – Lists all managed policies that are attached to the specified IAM user.

  • list-entities-for-policy – Lists all local IAM users, groups, and roles that the specified managed policy is attached to.

    • --EntityFilter: Only the user and role values are supported.

  • list-policies – Lists all the managed policies that are available in your local AWS account. The following parameter is not supported:

    • --PolicyUsageFilter

  • list-roles – Lists the local IAM roles that have the specified path prefix.

  • list-users – Lists the IAM users that have the specified path prefix.

  • update-access-key – Changes the status of the specified access key from Active to Inactive, or vice versa.

  • update-assume-role-policy – Updates the policy that grants an IAM entity permission to assume a role.

  • update-role – Updates the description or maximum session duration setting of a role.

  • update-user – Updates the name and/or the path of the specified IAM user.

Supported IAM API operations on Snowball Edge

Following are the IAM API operations that you can use with a Snowball Edge, with links to their descriptions in the IAM API Reference.

  • AttachRolePolicy – Attaches the specified managed policy to the specified IAM role.

  • AttachUserPolicy – Attaches the specified managed policy to the specified user.

  • CreateAccessKey – Creates a new local IAM secret access key and corresponding AWS access key ID for the specified user.

  • CreatePolicy – Creates a new IAM managed policy for your device.

  • CreateRole – Creates a new local IAM role for your device.

  • CreateUser – Creates a new local IAM user for your device.

    The following parameters are not supported:

    • Tags

    • PermissionsBoundary

  • DeleteAccessKey– Deletes the specified access key.

  • DeletePolicy – Deletes the specified managed policy.

  • DeleteRole – Deletes the specified role.

  • DeleteUser – Deletes the specified user.

  • DetachRolePolicy – Removes the specified managed policy from the specified role.

  • DetachUserPolicy – Removes the specified managed policy from the specified user.

  • GetPolicy – Retrieves information about the specified managed policy, including the policy's default version and the total number of local IAM users, groups, and roles to which the policy is attached.

  • GetPolicyVersion – Retrieves information about the specified version of the specified managed policy, including the policy document.

  • GetRole – Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.

  • GetUser – Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

  • ListAccessKeys – Returns information about the access key IDs associated with the specified IAM user.

  • ListAttachedRolePolicies – Lists all managed policies that are attached to the specified IAM role.

  • ListAttachedUserPolicies – Lists all managed policies that are attached to the specified IAM user.

  • ListEntitiesForPolicy – Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.

    • --EntityFilter: Only the user and role values are supported.

  • ListPolicies – Lists all the managed policies that are available in your local AWS account. The following parameter is not supported:

    • --PolicyUsageFilter

  • ListRoles – Lists the local IAM roles that have the specified path prefix.

  • ListUsers – Lists the IAM users that have the specified path prefix.

  • UpdateAccessKey – Changes the status of the specified access key from Active to Inactive, or vice versa.

  • UpdateAssumeRolePolicy – Updates the policy that grants an IAM entity permission to assume a role.

  • UpdateRole – Updates the description or maximum session duration setting of a role.

  • UpdateUser – Updates the name and/or the path of the specified IAM user.

Supported IAM policy version and grammar on Snowball Edge

Following is the local IAM support version 2012-10-17 of the IAM policy and a subset of the policy grammar.

Policy type Supported grammar
Identity-based policies (user/role policy) "Effect", "Action" and "Resource"
Note

Local IAM doesn't support "Condition", "NotAction", "NotResource" and "Principal".

Resource-based policies (role trust policy) "Effect", "Action" and "Principal"
Note

For Principal, only AWS account ID or principal ID is allowed.

IAM policy examples on Snowball Edge

Note

AWS Identity and Access Management (IAM) users need "snowballdevice:*" permissions to use the AWS OpsHub for Snow Family application to manage Snowball Edge.

The following are examples of policies that grant permissions to a Snowball Edge device.

Allowing the GetUser call for a sample user on a Snowball Edge through the IAM API

Use the following policy to allow the GetUser call for a sample user through the IAM API.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:GetUser",
            "Resource": "arn:aws:iam:::user/example-user"
        }
    ]
}

Allowing full access to the Amazon S3 API on a Snowball Edge

Use the following policy to allow full access to the Amazon S3 API.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
            
        }
    ]
}

Allowing read and write access to an Amazon S3 bucket on a Snowball Edge

Use the following policy to allow read and write access to a specific bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::bucket-name"
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]
}

Allowing list, get, and put access to an Amazon S3 bucket on a Snowball Edge

Use the following policy to allow List, Get, and Put Access to a specific S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
        }
    ]
}

Allowing full access to the Amazon EC2 API on a Snowball Edge

Use the following policy to allow full access to Amazon EC2.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}

Allowing access to start and stop Amazon EC2-compatible instances on a Snowball Edge

Use the following policy to allow access to start and stop Amazon EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*"
        }
    ]
}

Denying calls to DescribeLaunchTemplates but allowing all calls to DescribeImages on a Snowball Edge

Use the following policy to deny calls to DescribeLaunchTemplates but allow all calls to DescribeImages.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "ec2:DescribeLaunchTemplates"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeImages"
            ],
            "Resource": "*"
        }
    ]
}

Policy for API calls on a Snowball Edge

Lists all the managed policies that are available on your Snow device, including your own customer-defined managed policies. More details in list-policies.

aws iam list-policies --endpoint http://ip-address:6078 --profile snowballEdge --region snow
{
    "Policies": [
        {
            "PolicyName": "Administrator",
            "Description": "Root user admin policy for Account 123456789012",
            "CreateDate": "2020-03-04T17:44:59.412Z",
            "AttachmentCount": 1,
            "IsAttachable": true,
            "PolicyId": "policy-id",
            "DefaultVersionId": "v1",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:policy/Administrator",
            "UpdateDate": "2020-03-04T19:10:45.620Z"
        }
    ]
}

TrustPolicy example on a Snowball Edge

A trust policy returns a set of temporary security credentials that you can use to access AWS resources that you might normally not have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole in your account for cross-account access.

The following is an example of a trust policy. For more information about trust policy, see AssumeRole in the AWS Security Token Service API Reference.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::AccountId:root" //You can use the Principal ID instead of the account ID. 
                ]
            },
            "Action": [
                "sts:AssumeRole"
            ]
        }
    ]
}