fbpx

This post covers what are IAM Roles for Spotinst Functions, examines some features and considerations, and walks through an example of setting up a role for a function to access an S3 bucket.

An AWS IAM Policy is a set of rules that, under the right conditions, define what actions a user can take on specified AWS resources.

When a Function is executed, it often needs to securely access and perform actions against resources and services in your AWS account. In order to allow that, the function code needs to be associated with an IAM role that has the appropriate permissions.

  • For example, to retrieve and process documents from your S3 bucket, the function needs readObject permissions for your S3 bucket. In order to do so, we can attach a policy with relevant permissions to a Spotinst Role, and allow the function to access the S3 bucket on our behalf.

Let’s start by creating an IAM role that allows full access to S3.
There are two options to create your Spotinst Functions associated with an IAM role:

  • UI (Console)
  • API

Console

Go to the Function Environment and Click on Create Function

In the Create Function screen, select the AWS IAM Role you want the function to be associated with.

If associating a New IAM role then click on Create New Role and add the below parameters:

AWS account: 922761411349

External Id: spotinst:aws:extid:7m3vpb1w1c000000

The account number is an AWS Spotinst account, and by entering it here you are giving us permission to access and modify S3 buckets and their contents on your behalf. The External ID is an additional lock. It must match the role Id you create in following steps in order for the roles to be linked correctly, so make a note of it.

Login to your AWS Console and navigate to the IAM management console. Under Roles, select “Create role”.

You should be in the Create Role workflow. For type of trusted entity, select “Another AWS account.”

Enter the above-noted AWS account Id and External Id. You can leave MFA unchecked and move on to permissions.

Search for s3 and select AmazonS3FullAccess, then continue to the review step.

After creating the role note down the Role ARN

Go to the Spotinst console, enter the Role ARN and Validate the role.

As soon as the role is validated, click on Create Function and your Spotinst Function has the permission to access and modify S3 objects on your behalf.

API

First, log in to your AWS account and navigate to the IAM management console. Under Roles, select “Create role”.

You should be in the create role workflow. For type of trusted entity, select “Another AWS account.”

There are two required fields you need to fill out on this page: Account ID and External ID.

For account number, enter: 922761411349

For External ID, enter: spotinst-function-s3-access

The account number is an AWS Spotinst account, and by entering it here you are giving us permission to access and modify S3 buckets and their contents on your behalf. The External ID is an additional lock. It must match the role Id you create in following steps in order for the roles to be linked correctly, so make a note of it.

You can leave MFA unchecked and move on to permissions.

Search for s3 and select AmazonS3FullAccess, then continue to the review step.

Enter a role name and description and hit create.

After creating the role, you’ll be back at the master list of roles in AWS. Navigate to your newly created role, select it, and copy the Role ARN. You’ll need it for the next step. Also note that you can see the External ID on this page, under the “trust relationships” tab.

That’s all the work you need to do in the AWS Console. For the next steps, use the Spotinst API to create your Role ID. You can do so using cURL or by writing a script. below is an example of the script

In a file, we created this script to make an API call that generates my Spotinst Role ID:

const rp = require('request-promise');
 
 let options = {
   uri    : "https://api.spotinst.io/functions/iam/role/aws/",
   method : "POST",
   qs     : {accountId: },
   headers: {
     "Content-Type" : "application/json",
     "Authorization": "Bearer "
   },
   body   : {
     "role": {
       "description": "s3 full access",
       "provider": "aws",
       "credentials": {
         "roleArn": "arn:aws:iam:::role/demo-s3-full-access",
         "externalId": "spotinst-function-s3-access"
       }
     }
   },
   json   : true
 };<
 
 rp(options).then((res) => {
   console.log(res);
   
   console.log(res.response.items)
   
 }).catch((err) => {
   console.log(err)
 })

Make the request from the command line. A successful request will look something like:

And that’s it! With that, you gave Spotinst Functions permission to access and modify S3 objects on your behalf. You can use this same example to add any and as many permissions as you’d like to an IAM role, and then link it to a Spotinst Account.

Serverless Framework

It is also possible to create, manage and deploy Spotinst Functions using the Serverless Framework. To learn how to configure an IAM role to functions click here

Some things to keep in mind when using IAM roles with Spotinst Functions:

  • You can only attach one IAM role per function.
  • You can only attach an IAM role to a function when you create the function.
  • You cannot update the IAM role at a later time.
  • You cannot have a different IAM role for different function versions.
  • Multiple functions can have the same IAM role.
  • Spotinst’s account number is 922761411349
  • The External ID is created by you. External ID used when creating the Spotinst Role ID must exactly match the External ID you specified when creating the IAM Role.