services.x-iam ¶

          x-iam:
  Policies: []
  PermissionsBoundary: str
  ManagedPolicyArns: []

         

This section is the entrypoint to further extension of IAM definition for the IAM roles created throughout.

PermissionsBoundary ¶

This key represents an IAM policy (name or ARN) that needs to be added to the IAM roles in order to represent the IAM Permissions Boundary.

Tip

if you specify ony the name, ie. containers , this will resolve into arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/containers

PermissionsBoundary example ¶

            services:
  serviceA:
    image: nginx
    x-iam:
      PermissionsBoundary: containers
  serviceB:
    image: redis
    x-iam:
      PermissionsBoundary: arn:aws:iam::aws:policy/PowerUserAccess

           

Note

You can either provide a full policy arn, or just the name of your policy. The validation regexp is:

            r"((^([a-zA-Z0-9-_.\/]+)$)|(^(arn:aws:iam::(aws|[0-9]{12}):policy\/)[a-zA-Z0-9-_.\/]+$))"

           

Policies ¶

Allows you to define additional IAM policies. Follows the same pattern as CFN IAM Policies

           x-iam:
  Policies:
      - PolicyName: somenewpolicy
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - ec2:Describe*
              Resource:
                - "*"
              Sid: "AllowDescribeAll"

          

Tip

This is equivalent to x-aws-role if you used the ECS Plugin.

ManagedPolicyArns ¶

Allows you to add additional managed policies. You can specify the full ARN or just a string for the name / path of the policy. If will resolve into the same regexp as for PermissionsBoundary

Tip

If you used the ECS Plugin from docker before, this is equivalent to x-aws-policies

Hint

You can also use the Docker ECS-Plugin x-aws-iam extension fields with ECS ComposeX

ManagedPolicies example ¶

            services:
  serviceA:
    x-iam:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/Administrator # AWS Managed Policy
        - developer                             # User Managed Policy

           

JSON Schema ¶

Model ¶

services.x-iam specification ¶

services.x-iam.spec.json
The services.x-iam specification for ComposeX
type	object
properties
PermissionsBoundary	type	string
Policies	type	array
	items	#/definitions/PolicyDef
ManagedPolicyArns	type	array
	items	type	string
additionalProperties	False
definitions
PolicyDef	type	object
	properties
	PolicyName	type	string
	PolicyDocument	type	object
		properties
		Statement	type	array
			items	#/definitions/Statement
		Version	https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html
			type	string
			enum	2012-10-17, 2008-10-17
Statement	type	object
	properties
	Sid	type	string
	Action	type	array / string
	Principal	type	object / string
	Effect	https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html
		type	string
		enum	Allow, Deny
	Resource	type	array / string
	Conditions	type	string / object
	additionalProperties	True

Definition ¶

            {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "services.x-iam.spec.json",
  "type": "object",
  "title": "services.x-iam specification",
  "description": "The services.x-iam specification for ComposeX",
  "additionalProperties": false,
  "properties": {
    "PermissionsBoundary": {
      "type": "string"
    },
    "Policies": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/PolicyDef"
      }
    },
    "ManagedPolicyArns": {
      "type": "array",
      "items": {
        "type": "string"
      }
    }
  },
  "definitions": {
    "PolicyDef": {
      "type": "object",
      "required": [
        "PolicyDocument",
        "PolicyName"
      ],
      "properties": {
        "PolicyName": {
          "type": "string"
        },
        "PolicyDocument": {
          "type": "object",
          "required": [
            "Statement",
            "Version"
          ],
          "properties": {
            "Statement": {
              "type": "array",
              "items": {
                "$ref": "#/definitions/Statement"
              }
            },
            "Version": {
              "type": "string",
              "enum": ["2012-10-17", "2008-10-17"],
              "description": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html"
            }
          }
        }
      }
    },
    "Statement": {
      "type": "object",
      "additionalProperties": true,
      "properties": {
        "Sid": {
          "type": "string"
        },
        "Action": {
          "type": [
            "array",
            "string"
          ]
        },
        "Principal": {
          "type": ["object", "string"]
        },
        "Effect": {
          "type": "string",
          "description": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html",
          "enum": ["Allow", "Deny"]
        },
        "Resource": {
          "type": [
            "array",
            "string"
          ]
        },
        "Conditions": {
          "type": [
            "string",
            "object"
          ]
        }
      }
    }
  }
}

           