services.x-iam

x-iam:
  Policies: []
  PermissionsBoundary: str
  ManagedPolicyArns: []

This section is the entrypoint to further extension of IAM definition for the IAM roles created throughout.

PermissionsBoundary

This key represents an IAM policy (name or ARN) that needs to be added to the IAM roles in order to represent the IAM Permissions Boundary.

Tip

if you specify ony the name, ie. containers , this will resolve into arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/containers

PermissionsBoundary example
services:
  serviceA:
    image: nginx
    x-iam:
      PermissionsBoundary: containers
  serviceB:
    image: redis
    x-iam:
      PermissionsBoundary: arn:aws:iam::aws:policy/PowerUserAccess

Note

You can either provide a full policy arn, or just the name of your policy. The validation regexp is:

r"((^([a-zA-Z0-9-_.\/]+)$)|(^(arn:aws:iam::(aws|[0-9]{12}):policy\/)[a-zA-Z0-9-_.\/]+$))"

Policies

Allows you to define additional IAM policies. Follows the same pattern as CFN IAM Policies

x-iam:
  Policies:
      - PolicyName: somenewpolicy
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - ec2:Describe*
              Resource:
                - "*"
              Sid: "AllowDescribeAll"

Tip

This is equivalent to x-aws-role if you used the ECS Plugin.

ManagedPolicyArns

Allows you to add additional managed policies. You can specify the full ARN or just a string for the name / path of the policy. If will resolve into the same regexp as for PermissionsBoundary

Tip

If you used the ECS Plugin from docker before, this is equivalent to x-aws-policies

Hint

You can also use the Docker ECS-Plugin x-aws-iam extension fields with ECS ComposeX

ManagedPolicies example
services:
  serviceA:
    x-iam:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/Administrator # AWS Managed Policy
        - developer                             # User Managed Policy

JSON Schema

Model

services.x-iam specification

services.x-iam.spec.json

The services.x-iam specification for ComposeX

type

object

properties

  • PermissionsBoundary

type

string

  • Policies

type

array

items

#/definitions/PolicyDef

  • ManagedPolicyArns

type

array

items

type

string

additionalProperties

False

definitions

  • PolicyDef

type

object

properties

  • PolicyName

type

string

  • PolicyDocument

type

object

properties

  • Statement

type

array

items

#/definitions/Statement

  • Version

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html

type

string

enum

2012-10-17, 2008-10-17

  • Statement

type

object

properties

  • Sid

type

string

  • Action

type

array / string

  • Principal

type

object / string

  • Effect

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html

type

string

enum

Allow, Deny

  • Resource

type

array / string

  • Conditions

type

string / object

additionalProperties

True

Definition

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "services.x-iam.spec.json",
  "type": "object",
  "title": "services.x-iam specification",
  "description": "The services.x-iam specification for ComposeX",
  "additionalProperties": false,
  "properties": {
    "PermissionsBoundary": {
      "type": "string"
    },
    "Policies": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/PolicyDef"
      }
    },
    "ManagedPolicyArns": {
      "type": "array",
      "items": {
        "type": "string"
      }
    }
  },
  "definitions": {
    "PolicyDef": {
      "type": "object",
      "required": [
        "PolicyDocument",
        "PolicyName"
      ],
      "properties": {
        "PolicyName": {
          "type": "string"
        },
        "PolicyDocument": {
          "type": "object",
          "required": [
            "Statement",
            "Version"
          ],
          "properties": {
            "Statement": {
              "type": "array",
              "items": {
                "$ref": "#/definitions/Statement"
              }
            },
            "Version": {
              "type": "string",
              "enum": ["2012-10-17", "2008-10-17"],
              "description": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html"
            }
          }
        }
      }
    },
    "Statement": {
      "type": "object",
      "additionalProperties": true,
      "properties": {
        "Sid": {
          "type": "string"
        },
        "Action": {
          "type": [
            "array",
            "string"
          ]
        },
        "Principal": {
          "type": ["object", "string"]
        },
        "Effect": {
          "type": "string",
          "description": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html",
          "enum": ["Allow", "Deny"]
        },
        "Resource": {
          "type": [
            "array",
            "string"
          ]
        },
        "Conditions": {
          "type": [
            "string",
            "object"
          ]
        }
      }
    }
  }
}