services.x-iam ¶
x-iam:
Policies: []
PermissionsBoundary: str
ManagedPolicyArns: []
This section is the entrypoint to further extension of IAM definition for the IAM roles created throughout.
PermissionsBoundary ¶
This key represents an IAM policy (name or ARN) that needs to be added to the IAM roles in order to represent the IAM Permissions Boundary.
Tip
if you specify ony the name, ie. containers , this will resolve into arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/containers
services:
serviceA:
image: nginx
x-iam:
PermissionsBoundary: containers
serviceB:
image: redis
x-iam:
PermissionsBoundary: arn:aws:iam::aws:policy/PowerUserAccess
Note
You can either provide a full policy arn, or just the name of your policy. The validation regexp is:
r"((^([a-zA-Z0-9-_.\/]+)$)|(^(arn:aws:iam::(aws|[0-9]{12}):policy\/)[a-zA-Z0-9-_.\/]+$))"
Policies ¶
Allows you to define additional IAM policies. Follows the same pattern as CFN IAM Policies
x-iam:
Policies:
- PolicyName: somenewpolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:Describe*
Resource:
- "*"
Sid: "AllowDescribeAll"
Tip
This is equivalent to x-aws-role if you used the ECS Plugin.
ManagedPolicyArns ¶
Allows you to add additional managed policies. You can specify the full ARN or just a string for the name / path of the policy. If will resolve into the same regexp as for PermissionsBoundary
Tip
If you used the ECS Plugin from docker before, this is equivalent to x-aws-policies
Hint
You can also use the Docker ECS-Plugin x-aws-iam extension fields with ECS ComposeX
services:
serviceA:
x-iam:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/Administrator # AWS Managed Policy
- developer # User Managed Policy
JSON Schema ¶
Model ¶
services.x-iam specification ¶
services.x-iam.spec.json |
||||
The services.x-iam specification for ComposeX |
||||
type |
object |
|||
properties |
||||
|
type |
string |
||
|
type |
array |
||
items |
#/definitions/PolicyDef |
|||
|
type |
array |
||
items |
type |
string |
||
additionalProperties |
False |
|||
definitions |
||||
|
type |
object |
||
properties |
||||
|
type |
string |
||
|
type |
object |
||
properties |
||||
|
type |
array |
||
items |
#/definitions/Statement |
|||
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html |
|||
type |
string |
|||
enum |
2012-10-17, 2008-10-17 |
|||
|
type |
object |
||
properties |
||||
|
type |
string |
||
|
type |
array / string |
||
|
type |
object / string |
||
|
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html |
|||
type |
string |
|||
enum |
Allow, Deny |
|||
|
type |
array / string |
||
|
type |
string / object |
||
additionalProperties |
True |
Definition ¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "services.x-iam.spec.json",
"type": "object",
"title": "services.x-iam specification",
"description": "The services.x-iam specification for ComposeX",
"additionalProperties": false,
"properties": {
"PermissionsBoundary": {
"type": "string"
},
"Policies": {
"type": "array",
"items": {
"$ref": "#/definitions/PolicyDef"
}
},
"ManagedPolicyArns": {
"type": "array",
"items": {
"type": "string"
}
}
},
"definitions": {
"PolicyDef": {
"type": "object",
"required": [
"PolicyDocument",
"PolicyName"
],
"properties": {
"PolicyName": {
"type": "string"
},
"PolicyDocument": {
"type": "object",
"required": [
"Statement",
"Version"
],
"properties": {
"Statement": {
"type": "array",
"items": {
"$ref": "#/definitions/Statement"
}
},
"Version": {
"type": "string",
"enum": ["2012-10-17", "2008-10-17"],
"description": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html"
}
}
}
}
},
"Statement": {
"type": "object",
"additionalProperties": true,
"properties": {
"Sid": {
"type": "string"
},
"Action": {
"type": [
"array",
"string"
]
},
"Principal": {
"type": ["object", "string"]
},
"Effect": {
"type": "string",
"description": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html",
"enum": ["Allow", "Deny"]
},
"Resource": {
"type": [
"array",
"string"
]
},
"Conditions": {
"type": [
"string",
"object"
]
}
}
}
}
}