AWS Roles
AWS-Roles in Amorphic used to switch to the AWS console from Amorphic. This feature helps the users to view their resources in AWS.
In amorphic we have some pre-defined system generated Aws-Roles. User can have multiple AWS-Roles attached and has the ability to switch to AWS console using these roles. In AWS console, these Roles only have View Permissions.
Once the AWS-Role is attached to a user, user will be able to see that Role in the Switch To Console option in Profile icon, which they can use to switch to AWS console.
The following picture depicts the Role Management Console in Amorphic:
What is an AWS-Role?
These are Roles created by Amorphic in AWS, which used to switch to AWS-Console from Amorphic.
AWS-Roles has the following properties:
- An AWS-Role can have multiple users attached to it.
- An AWS-Role only have view permissions.
- For now all AWS-Roles are system generated, can't be deleted.
In Amorphic we have three types of AWS-Roles:
- DMS View Role : System generated AWS-Role with view only permissions for DMS service.
- Glue View Role : System generated AWS-Role with view only permissions for Glue service.
- All System View Role : System generated AWS-Role with view only permissions for All AWS services which are part of Amorphic.
DMS View Role
This AWS-Role only have view permissions of DMS service in AWS. Once the user switch to AWS console using this Role, user will be able to see resources in DMS and its logs from a particular log group of cloudwatch.
Log groups that are part of this AWS-Role:
- log-group:/...replicationTaskCreation
- log-group:/...connections
Glue View Role
This AWS-Role only have view permissions of Glue service in AWS. Once the user switch to AWS console using this Role, user will be able to see all resources associated with the Glue service and its logs from a particular log group of cloudwatch.
Log groups that are part of this AWS-Role:
- log-group:/aws-glue/jobs/error
- log-group:/aws-glue/jobs/logs-v2
- log-group:/aws-glue/jobs/output
All System View Role
This AWS-Role only have view permissions of AWS services that are supported by Amorphic. Once the user switch to AWS console using this Role, user will be able to see resources of all AWS services which are part of Amorphic. All System View Role is only accessible to AdminUsers, normal user can't be attached to this role.
For now, list of AWS Services supported by All System View role:
- Amazon Athena
- Amazon Comprehend
- Amazon Comprehend Medical
- AWS Database Migration Service(DMS)
- Amazon DynamoDB
- Amazon Forecast
- AWS Glue
- Amazon Kendra
- Amazon Kinesis
- Amazon Kinesis Data Analytics
- Amazon Kinesis Data Firehose
- AWS Lake Formation
- Amazon RDS
- Amazon Redshift
- Amazon Rekognition
- Amazon SageMaker
- AWS Step Function
- Amazon Textract
- Amazon Transcribe
- Amazon Translate
AWS-Role Metadata Information
| Type | Description |
|---|---|
| Role Name | Role Name, which uniquely identifies the functionality of the role. |
| Role Description | A brief explanation of the aws-role typically the functionality for what it is used. |
| Consolidated AWS Permissions | Permission is an action defined for a particular AWS service. Each aws-role consists of a group of permissions. These permissions determines the level of access within AWS. |
| UsersAttached | The list of users to whom the role is attached. |
| CreatedBy | Who created the role. |
| LastModifiedBy | Who has recently updated the role. |
| LastModifiedTime | Timestamp when the role was recently updated. |
How are roles associated to an user
The three AWS-Roles are accessible to AdminUsers by default during the time of deployment. If the AdminUsers wants to switch to console using these roles, then they can attach Him/Her self to this roles, then only they can switch to aws console using these roles. Also AdminUsers can attach or detach other users/admins from/to this AWS-Roles.
Default users can see this AWS-Roles in their profile, only if they are attached to it.
Role Operations
Amorphic allow some operations on the AWS-Roles.
- View Role : View existing
Role Metadata Information. - Update Role : Update users attached on existing AWS-Roles (Applicable to AdminUsers only).
- Switch To Console : This functionality helps user to switch to AWS console using these AWS-Roles.
View Role
If the user has sufficient permissions to view a role(either AdminUser/AttachedUser), He/She can view all the Role informations by clicking on the Role Name under the AWS-Roles section inside Management Menu.
Please follow the below animation to view the role information in detail:
Update Role
If the user is an AdminUser, He/She can update details about an AWS Role by selecting the AWS Role Name under the AWS-Roles section inside Management Menu. This will re-direct to a different page where you see details about the AWS Role and from this page you can choose Edit Role button and select the users needs to be attached to role and finally clicking Update.
Please follow the below animation to update the role information in detail:
Switch To Console
Switch To Console functionality is enabled for users who have an AWS-Role attached to. This functionality can be accessed by clicking on the User Profile icon and Switch To Console item of the the drop down menu. Users will be presented with a drop down list of AWS-Roles that He/She is attached to, and selecting one of the role will switch to AWS console automatically.
Please follow the below animation to switch to console:
