What is crafting
In Axiom, "crafting" is the process of constructing a custom IAM policy when you create an access request. When the request is approved, Axiom creates a permission set in AWS IAM Identity Center using this crafted policy; when the request expires, Axiom deletes that permission set.
Crafted permission set life cycle
Crafted permission sets are ephemeral by nature:
When you submit the request: The permission set does not exist yet in AWS; the policy JSON is saved with your request, so that Axiom can create the permission set just-in-time.
When your request is approved: Axiom creates a permission set in AWS IAM Identity Center using the saved policy JSON, then attaches it to the Principal specified in your request (as an inline policy ↗).
When your request expires: Axiom detaches the inline policy from the Principal, and deletes the crafted permission set from AWS.
How to start crafting
When creating an AWS access request, press the "Craft" button next to the Permission field. This will open the Crafting dialog.
You can select your baseline permission set before pressing Craft, or from within the crafting dialog.
The crafting dialog
The crafting dialog contains:
A baseline selector, and name field.
An interface for building policy statements without writing code.
A JSON viewer and editor for manually editing the policy, and comparing the baseline permission set to the crafted policy.
Baseline permission
The policy for a crafted permission set can be constructed from scratch (selecting "None" from the Baseline selector), or from any existing permission set.
Crafted permissions' naming
The name of a crafted permission set consists of two parts: a customizable prefix, and an auto-generated random four-letter suffix. The suffix cannot be changed, ensuring each crafted permission set has a unique name within your AWS account. The prefix is initially auto-generated based on the baseline permission set; you can modify the prefix when creating the request, or by editing the request at any time before request approval.
Policy statement constructor
Use this to build policy statements without needing to manually edit the policy JSON.
You can add as many statements as you wish (within the constraints of AWS ↗).
Service
The Amazon/ AWS service for which you want to construct a policy statement.
Resource type
Each Service has multiple resource types. Select one or more resource types for the current policy statement, or select "Any" to have the policy statement apply to all resource types for the selected Service.
Resource
The specific resources to which this statement will apply.
Note: currently, the constructor's resource selector only supports AWS S3, Amazon DynamoDB, and Amazon EC2. For defining specific resources for other Services:
- Create the statement without selecting a resource.
- Switch to manual edit mode and add the resources directly to the policy JSON.
Access level
AWS services support many different granular permissions. The statement constructor provides these abstract access levels:
Read
Write
List
Tagging
Permissions management
These abstract access levels map to specific IAM policy Actions for each service. Press "View as JSON" to see the detailed Actions for the selected Service/ Resource type/ resource/ Access level (see example below for clarification)
Adding more statements
To add another statement to the policy, press the "Add another +" button below the last statement.
Viewing and manually editing the policy JSON
To view the full policy JSON, and compare it to the baseline permission set, press the "View and edit as JSON" bar
Manually editing the policy JSON
To manually edit the policy JSON, press the Edit button
When you are in Edit mode:
The appearance of the right side panel will change: you will see a blue border, and the title will begin with "Editing"
The permissions statements constructor is collapsed (you cannot use the constructor and edit mode at the same time)
If you get mixed up with your manual editing, you can always press the discard button: this will cancel your manual edits, and return to the constructor, with your constructed rules intact
You can "discard" manual edits and return to the constructor any time before submitting the request (even after setting the crafted permission, and reopening the craft dialog). If you made manual edits, and submitted the request, and then edit the request (before approval)you can recover the constructor, and all
Validation
As you type, the editor will show you red squiggly lines wherever there is an error.
Press "Validate" to see more detailed warnings and errors
Warnings can be ignored by using the "Ignore" toggle button; errors must be fixed before saving
The Validate action is also triggered automatically when you press "Set permission".
Setting the permission and returning to the request creation form
When you are done constructing/ editing the crafted policy, press "Set permission"
Validation will be triggered before the dialog is closed.
The crafted policy will be saved when you submit the request
Saving the crafted permission set for future use
You might want to reuse a crafted permission set for use in multiple requests, rather than just the current request. While you cannot currently save crafted permission sets directly through Axiom, you can create a permanent permission set in AWS IAM Identity Center by copying the JSON from your crafted policy. See this FAQ for a detailed walk through (TBC).
Renewing and cloning requests which use a crafted permission set
Since crafted permission sets are ephemeral, you cannot simply renew or clone requests which use crafted permission sets. When you try to do so, the Axiom user console will display a dialog, explaining the issue and guiding you to what you can do.
Example of Actions
Read for S3:
"Action": [
"s3:getaccel*",
"s3:getan*",
"s3:getb*",
"s3:gete*",
"s3:geti*",
"s3:getl*",
"s3:getme*",
"s3:getr*"
]Read for DynamoDB:
"Action": [
"dynamodb:batchg*",
"dynamodb:co*",
"dynamodb:describec*",
"dynamodb:describek*",
"dynamodb:describet*",
"dynamodb:geti*",
"dynamodb:listtag*",
"dynamodb:partiqls*",
"dynamodb:q*",
"dynamodb:sc*"
]