I have a scenario where I have an On Premise monitoring to which I like to add some monitoring of our AWS resources. It will use a combination of Python and the AWS CLI to do thisW monitoring.
What is not clear to me is what best way is to grant this monitoring too acsess. The options I’ve considered are:
An IAM user with no console access an an assigned policy
An IAM user with only stsAssueRole and a role with the necessary policy assigned
Which is the better solution, or is there some other preferred alternative that I haven’t considered?
Gavin
1 Answers
The common way is a User service account with a least right Policy and a set of keys.
However I did find a lovely reference that allows you to use a Role to do this.
here they are.
– https://www.google.com/search?q=aws+cli+role
Review these and see if you can make them work for you
😉
Thanks Rusty. The Service account is the easiest and approach. To use StsAssumeRole you have to have been authenticated already – made more complicated when you’re authenticating using SAML from AD 🙂
I’ll post and update if I find a more elegant way than the service account