IAM Policy Add-On
Overview
The IAM Policy add-on allows you to create and manage custom AWS Identity and Access Management (IAM) policies for your Tapitalee applications. This provides fine-grained access control to AWS services beyond the default permissions, enabling your applications to securely interact with additional AWS resources like S3 buckets, SQS queues, SNS topics, and other AWS services.
Use Cases
Common Scenarios
- Bedrock: Grant your application access to Amazon Bedrock
Basic Policy Structure
IAM policies use JSON format with the following structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"service:action"
],
"Resource": "arn:aws:service:region:account:resource"
}
]
}Commands
Import IAM Policy
tapit import iam_policy name=policy_name < policy.jsonImports custom IAM policies for advanced AWS service access.
Parameters
name: Name for the IAM policy (must be unique within your application)- Input: JSON policy document provided via stdin
Examples
# Create policy file for S3 access
cat > bedrock-access-policy.json << EOF
{
"Version":"2012-10-17",
"Statement": {
"Sid": "DenyInference",
"Effect": "Deny",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream",
"bedrock:CreateModelInvocationJob"
],
"Resource": "arn:aws:bedrock:*::foundation-model/model-id"
}
}
EOF
# Import the policy
tapit import iam_policy name=bedrock-access < bedrock-access-policy.jsonList IAM Policies
tapit list addonsShows all add-ons including IAM policies. Look for entries with type iam-policy.
Delete IAM Policy
tapit delete addon name=policy_nameRemoves an IAM policy from your application. The policy will be detached from all application processes.
Environment Integration
Automatic Role Assignment
When you import an IAM policy, Tapitalee automatically:
- Creates an IAM policy in your AWS account
- Attaches the policy to your application’s execution role, and EC2 instance role