Skip to main content

AWS IAM User and Policy Management: Terraform Configuration

410 words·
AWS IAM Terraform
Table of Contents

This Terraform configuration creates an IAM user and attaches both a custom policy (for S3 access) and an AWS-managed policy (AmazonEC2FullAccess). It also generates AWS access keys for the user.

Terraform IAM Management
#

Terraform Configuration Files
#

Project Folder & Terraform Provider
#

# Create Terraform project folder
TF_PROJECT_NAME=aws-iam-user-permissions
mkdir $TF_PROJECT_NAME && cd $TF_PROJECT_NAME

  • terraform.tf
# Terraform Provider
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

# Provider AWS Region
provider "aws" {
}

Variables
#

  • variables.tf
# IAM User
variable "iam_user_name" {
  description = "IAM user"
  type        = string
  default     = "example-user"
}

# IAM Custom Policy
variable "iam_custom_policy_name" {
  description = "IAM policy"
  type        = string
  default     = "example-policy"
}

IAM User & Policy
#

  • iam.tf
# Create IAM user
resource "aws_iam_user" "iam_user" {
  name = var.iam_user_name
}

# Create custom IAM policy
resource "aws_iam_policy" "iam_policy" {
  name        = var.iam_custom_policy_name
  description = "Custom IAM policy"
  policy      = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["s3:ListBucket"]
        Resource = "arn:aws:s3:::jkw-example-bucket"
      },
      {
        Effect   = "Allow"
        Action   = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject"
        ]
        Resource = "arn:aws:s3:::jkw-example-bucket/*"
      },
    ]
  })
}


# Attach custom policy to the IAM user
resource "aws_iam_user_policy_attachment" "attach_custom_policy" {
  user       = aws_iam_user.iam_user.name
  policy_arn = aws_iam_policy.iam_policy.arn
}

# Attach managed policy to the IAM user: "AmazonEC2FullAccess"
resource "aws_iam_user_policy_attachment" "attach_ec2_full_access" {
  user       = aws_iam_user.iam_user.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
}


# Create IAM access key for the user
resource "aws_iam_access_key" "access_key" {
  user = aws_iam_user.iam_user.name
}

Outputs
#

  • outputs.tf
# Output Access Key
output "access_key_id" {
  value     = aws_iam_access_key.access_key.id
  sensitive = true
}

# Output Secret Access Key
output "secret_access_key" {
  value     = aws_iam_access_key.access_key.secret
  sensitive = true
}



Apply Configuration
#

# Initialize the Terraform project
terraform init

# Validates the syntax and structure of Terraform configuration files
terraform validate

# Dry run / preview changes before applying them
terraform plan
# Create Terraform stack: Auto approve
terraform apply -auto-approve

# Shell output:
Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

Outputs:

access_key_id = <sensitive>
secret_access_key = <sensitive>

Output Access Keys
#

# Output the access keys for the IAM user
echo $(terraform output -raw access_key_id)
echo $(terraform output -raw secret_access_key)

# Shell output:
AKIARCHUALIN6BDD6LRX
bRFQNSpuILRvxpId4ajvlUzX53aVlmSADbStMit3



Verify IAM user
#

# List policies that are attached to the IAM user
aws iam list-attached-user-policies --user-name example-user

# Shell output:
{
    "AttachedPolicies": [
        {
            "PolicyName": "example-policy",
            "PolicyArn": "arn:aws:iam::012345678912:policy/example-policy"
        },
        {
            "PolicyName": "AmazonEC2FullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
        }
    ]
}