AD Gateway IAM Role Information
Click AD Gateway AWS IAM Role / Policy Requirements
The following information is related to the AD Gateway IAM Roles and Policies
used for CLICK to connect to an AD Connector for reading a list of Users and
Groups (read only) using lambda.
We start with
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Example:
arn:aws:iam::012345678901:role/ClickADConnector-IamRoleLambdaExecution-xxxxxxxxxxxxxxx
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:GetParametersByPath"
],
"Resource": [
"arn:aws:ssm:us-east-1:736931573815:parameter/click/*"
],
"Effect": "Allow"
}
]
}
The
ssm:GetParametersByPath
permission is granted specifically on resources starting with theSSMPrefix
value specified as a CloudFormation parameter (i.e. CLICK can only read what is prescribed for it to read)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
AWS Cross Account Role
This is the Cross account role for connectivity to the customer's AWS Account
programmatically.
The far-side role allows CLICK to manage workspaces, list encryption keys, and
invoke the AD Gateway Lambda Function.
Example arn:
arn:aws:iam::012345678901:role/ClickADConnector-CrossAccountRole-xxxxxxxxxxxxx
The role will have the following permission policies associated with it.
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"kms:ListAliases",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:ListGrants"
],
"Resource": "*",
"Effect": "Allow"
}
}
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "arn:aws:lambda:us-east-1:736931573815:function:ClickADConnector-AdConnectorLambdaFunction-1OXB14HW4CYI8",
"Effect": "Allow"
}
}
The role will also have the following trust policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CLICK_ACCOUNT:role/ad-connector-trust-role-SOME_ID"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
}
}
}
]
}
Updated about 5 years ago