Types of IAM Policies

Impossible Cloud supports IAM policies that allow its users to have granular control over the use, access and administration of their cloud storage. Currently the Impossible Cloud Console can manage the following types of policies:

  • Managed Policies

  • Inline Policies

An inline policy is attached directly to a specific IAM user. If that user is deleted, the inline policy is deleted too, it can’t be reused.

A managed policy exists as its own separate item in IAM. If the group or user it’s linked to is deleted, the policy still exists and can be attached to another IAM user.

1. Managed Policies

Managed Policies are a reusable set of permissions that you can attach to multiple users or groups to control what actions they can perform. Impossible Cloud allows you to have custom policies created and managed by you. Customer managed policies offer greater flexibility as you can define specific permissions based on your requirements. You can also reuse these policies across multiple users or groups within your ICSC environment.

You can either put this on a .JSON and attach via CLI or paste in the ICSC console under “Policies”. A Managed Policy can look like this:

File example: my-impossible-cloud-policy.json

{
  "Statement": [
    {
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-impossible-cloud-bucket",
        "arn:aws:s3:::my-impossible-cloud-bucket/*"
      ],
      "Sid": "AllowCommonS3Actions"
    }
  ],
  "Version": "2012-10-17"
}

This policy lets the assigned user(s) see and upload files to the bucket "my-impossible-cloud-bucket". However it restricts their permission to download or delete any objects within.

Remember to configure your profile:

aws configure --profile your-profile-name

To attach that Managed Policy to an IAM User using CLI, you can write:

aws iam create-policy \
  --policy-name MyICPolicy \
  --policy-document file://my-impossible-cloud-policy.json \
  --endpoint-url https://iam.impossibleapi.net \
  --profile your-profile-name
 
aws iam attach-user-policy \
  --user-name "[email protected]" \
  --policy-arn arn:aws:iam::123456789012:policy/MyICPolicy \
  --endpoint-url https://iam.impossibleapi.net/ 
  --profile your-profile-name

2. Inline Policies

Inline policies are directly embedded into a single IAM user or group. These type of policies have the following conditions:

  • Directly Attached: When you create an inline policy, it becomes part of that specific user or group.

  • Unique to the Identity: It cannot be attached to any other user or group.

  • No Versioning: Unlike managed policies, inline policies do not have versioning, meaning you can't easily roll back to a previous version of the policy.

  • Lifecycle: If you delete the IAM identity, the inline policy is also automatically deleted.

Note: While inline policies provide granular control, they are not reusable across different users or groups like the Managed Policies.

You can assign inline policies via CLI like this:

aws iam put-user-policy \
  --user-name "[email protected]" \
  --policy-name CustomInlinePolicy \
  --policy-document file://my-impossible-cloud-policy.json \
  --endpoint-url https://iam.impossibleapi.net/ \
  --profile your-profile-name

Alternatively, this can be done in the UI in the User > Select User > Inline Policies section.

PreviousIdentity Access Management (IAM)NextManaging Users

Last updated

Was this helpful?