resource-iam-restriction-policy
Important
You will need a StackGen Admin or DevOps access to run this command.
Supported Clouds:
AWS and GCP.
resource-iam-restriction-policy
The stackgen upload resource-iam-restriction-policy command allows you to upload policies that limit the IAM permissions that users can select for resources in their topologies.
Usage
stackgen upload resource-iam-restriction-policy [flags]
Flags
| Flag | Description |
|---|---|
-p, --iam-restriction-policy-file-path string | Path to resource IAM restriction policy file. (default "/home/user") |
-h, --help | Help for resource-iam-restriction-policy. |
Examples
Upload IAM restriction policy from a local file
stackgen upload resource-iam-restriction-policy -p /path/to/resource_restriction_policy.json
This command will:
- Read the IAM restriction policy from the specified file,
- Upload the policy to the StackGen platform,
- Enforce these restrictions when IAM permissions are associated with resources.
File Format
The IAM restriction policy file should be in JSON format and define the allowed IAM roles for specific resource types. Here's an example:
[
{
"name": "resource_iam_restriction_policy",
"description": "Resource IAM Restriction Policy",
"resourceSpecificAllowedRoles": {
"aws_s3": {
"allowedRoles": [
"Custom1",
"Writer"
],
"defaultRole": "Custom1"
}
}
}
]
Each policy object in the array must include:
name: A unique identifier for the policy.description: A brief explanation of the policy's purpose.resourceSpecificAllowedRoles: A map of resource types to their allowed IAM roles.- For each resource type, specify:
allowedRoles: An array of role names that can be associated with this resource.defaultRole: The role that will be selected by default for this resource type.
- For each resource type, specify:
What Will Change Between AWS and GCP?
| Element | AWS Example | GCP Example |
|---|---|---|
resourceSpecificAllowedRoles key | aws_s3 | gcp_storage_bucket |
Role names in allowedRoles | AWS-specific roles like Writer, Custom1 | GCP-specific roles like roles/storage.admin, roles/viewer |
note
- IAM restriction policies help enforce security best practices by limiting what roles users can assign.
- These policies are evaluated whenever IAM roles are attached to resources.
- Policies can be applied at the organization or team level.