Prerequisites

• Have completed the previous IAM Identity Center labs

The Challenge

If you’re new to CloudSLAW, this is the solution to last week’s IAM Identity Center skills challenge. It’s also important for building out your environment, so if you skipped the challenge you’ll definitely want to follow these steps.

This was a fun one. I realized while making the video that my original solution was incomplete due to working in the console instead of the command line! It only took a few minutes to figure it out and it was an easy fix, but it made this an even better learning experience (for me). I detail all of it down below, since this kind of troubleshooting is a skill that will definitely save some headaches down the road (I am both a slow learner and learn the hard way).

As a reminder, here was the challenge:

• Create a new policy that adds permissions to view, create, update, and delete IAM policies.

• Add it to the Identity Center permission set for IAM Administrators.

• Validate that it works.

With that, let’s get into it…

The Lab

Here’s an overview of the process:

• Log into the Identity Center portal as usual.

• Go into your IAM account with AdministratorAccess. Your IdentityCenterAdministration role doesn’t have the permissions you need.

• Create a new managed policy with the permissions needed to work with IAM policies (listed below).

• Add the new policy to your IAM Administrators permission set.

• Log out, then back in with the IdentityCenterAdministration role, to test.

Video Walkthrough

Step-by-Step

Sign into the Identity Center portal and go into IAM with AdministratorAccess:

Then go to IAM > Policies > Create policy:

Pick the JSON option, then type IAM in the search box, and select IAM:

Some of what you need has ‘Policy’ in the name, and other items will say ‘Policies’, so type polic into the search box to see them all. Scroll down the list, clicking the API calls listed below:

These are the ones to check:

• CreatePolicy

• CreatePolicyVersion

• DeletePolicy

• DeletePolicyVersion

• GetPolicy

• GetPolicyVersion

• ListPolicyVersions

• ListPolicies

• SetDefaultPolicyVersion

• ListEntitiesForPolicy

There are three important points here that will help with future work:

• Some resources you can’t edit directly — when you edit, AWS creates a new version which can be modified. That’s how IAM policies work. This is an important safety feature in case you need to roll back. So you need both API calls (create a policy and create a version) to make any changes. You’ll see this in some other places in AWS.

• List, Get, and Describe are the three main “read” API call prefixes. List for … listing when there are a bunch of things (list all the policies), Get to pull down a singular thing, and Describe… well, describe and get are often very similar in what they do, and someone from AWS please tell me your internal rules for when to use each — I know you’re watching! Usually I see Get when you are downloading the copy of the thing, and Describe when you are getting metadata rather than the object.

• SetDefaultPolicyVersion lets you choose which of the versions is used when a specific version isn’t specified.

• The last one got me! ListEntitiesForPolicy tells you which users/groups/roles are using that policy. When working with IAM Identity Center (or with policies via API or command line) you don’t necessarily need this. BUT! it turns out the AWS console does need it — because it checks to see whether a policy is attached before you delete it. You can’t delete a policy which is being used by anything.

  • If you watch the video you can see I make this mistake — on my first attempt I didn’t add this permission, and everything worked until I tried to delete the temporary policy we create later when testing, then I got an error. It took me a few minutes to figure it out. How?

    • I knew I had the correct delete permissions (for the policy and versions), and I knew it had to be something else. I knew the policy wasn’t attached so it couldn’t be that. Based on experience, I looked at all the requirements to delete a policy and the API calls. One is that a policy can’t be attached to anything. Then a lightbulb went off and I thought, “what if the console is checking that before trying to delete it?” Yep, nailed it on my first guess! When troubleshooting permission issues like this, walk through the process of what needs to be done in what order. Very frequently you will find checks or connections you don’t notice in the console, which are performed behind the scenes. Usually reading the steps in the documentation for the command line will lead you in the right direction.

That was a lot of exposition; if I were you I’d send some notes to the writer’s room. Anyway, now we need to specify all resources. Yes, this is very powerful but, in my book you only assign this policy to people authorized to administer IAM, which should be the most trusted people in your organization:

When you are all finished the left window should look like this:

Click Next, and on the next page enter the details. Name it ManagePoliciesForIdentityCenter and enter any description that works (do not use “()” in the description unless you want an error like I got). Click Create policy:

You’re finished in the IAM console; now you need to go to the IAM Identity Center console. Yeah, I know. Once there go to Permission sets and click IdentityCenterAdministration:

Unlike the IAM console, in Identity Center there is a separate spot to attach Customer managed policies. Scroll down to see it, then click Attach policies:

It makes you type in the name, ManagePoliciesForIdentityCenter, then click Attach policies:

All set! Now it’s time to test. Click the menu in the upper right, Sign out, and close the tab. Then go back to your sign in portal (that tab should still be open) and re-enter the IAM account, but this time with our updated IdentityCenterAdministration role:

For this next bit I’ll just tell you what to do — all the screenshots would be the same as creating the policy above. We want to confirm that you can create policies (we already have all the permissions to assign them in Identity Center — we just couldn’t create/update/delete the policies):

• Go to IAM > Polices > Create policy.

• Create a policy with some random managed policy (Not administrator access! But anything else will work).

• Name it deleteme.

• Delete the last Action, and the extra comma at the end of the line above.

• Save it… now that you know you can update.

• Delete it.

But that’s all busy work — if you followed all my other instructions, we know it all worked!

Congratulations if you nailed this all on your own. And it’s okay if you didn't — we’ll do more skills challenges in the future — I should have started sooner. I make mistakes every single time I touch AWS — it’s always a learning experience, no matter how many years you’ve been doing this.

And send any feedback or other ways you solved the challenge to [email protected]!

-Rich