AD Gateway IAM Role Information
Click AD Gateway AWS IAM Role / Policy Requirements
The following information is related to the AD Gateway IAM Roles and Policies
used for CLICK to connect to an AD Connector for reading a list of Users and
Groups (read only) using lambda.
We start with
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Example:
arn:aws:iam::012345678901:role/ClickADConnector-IamRoleLambdaExecution-xxxxxxxxxxxxxxx
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:GetParametersByPath"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1:736931573815:parameter/click/*"
            ],
            "Effect": "Allow"
        }
    ]
}
Thessm:GetParametersByPathpermission is granted specifically on resources starting with theSSMPrefixvalue specified as a CloudFormation parameter (i.e. CLICK can only read what is prescribed for it to read)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}AWS Cross Account Role
This is the Cross account role for connectivity to the customer's AWS Account
programmatically.
The far-side role allows CLICK to manage workspaces, list encryption keys, and
invoke the AD Gateway Lambda Function.
Example arn:
arn:aws:iam::012345678901:role/ClickADConnector-CrossAccountRole-xxxxxxxxxxxxx
The role will have the following permission policies associated with it.
{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "kms:ListAliases",
            "kms:ListKeys",
            "kms:GetKeyPolicy",
            "kms:ListGrants"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }
}{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "lambda:InvokeFunction",
            "lambda:InvokeAsync"
        ],
        "Resource": "arn:aws:lambda:us-east-1:736931573815:function:ClickADConnector-AdConnectorLambdaFunction-1OXB14HW4CYI8",
        "Effect": "Allow"
    }
}The role will also have the following trust policy.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::CLICK_ACCOUNT:role/ad-connector-trust-role-SOME_ID"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
        }
      }
    }
  ]
}Updated 5 months ago
