Getting started
Add-Ons
IAM Policy Add-On

IAM Policy Add-On

Overview

The IAM Policy add-on allows you to create and manage custom AWS Identity and Access Management (IAM) policies for your Tapitalee applications. This provides fine-grained access control to AWS services beyond the default permissions, enabling your applications to securely interact with additional AWS resources like S3 buckets, SQS queues, SNS topics, and other AWS services.

Use Cases

Common Scenarios

  • Bedrock: Grant your application access to Amazon Bedrock

Basic Policy Structure

IAM policies use JSON format with the following structure:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "service:action"
      ],
      "Resource": "arn:aws:service:region:account:resource"
    }
  ]
}

Commands

Import IAM Policy 

tapit  import iam_policy name=policy_name < policy.json

Imports custom IAM policies for advanced AWS service access.

Parameters

  • name: Name for the IAM policy (must be unique within your application)
  • Input: JSON policy document provided via stdin

Examples 

# Create a simple policy file granting S3 read access
cat > s3-read-policy.json << EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": "*"
    }
  ]
}
EOF

# Import the policy
tapit import iam_policy name=s3-read < s3-read-policy.json

Create Managed IAM Policy 

tapit create managed_iam_policy name=policy_name policy_arn=arn:aws:iam::aws:policy/ReadOnlyAccess

Attaches an AWS-managed IAM policy to your application by ARN. Use this when you want to grant your application permissions defined by a policy that AWS manages for you — such as ReadOnlyAccess, AmazonS3ReadOnlyAccess, or any other policy found in the AWS managed policy library. You supply only the ARN; there is no policy document to maintain.

Parameters

  • name: A local name for the policy attachment (must be unique within your application)
  • policy_arn: The ARN of the AWS-managed IAM policy to attach (e.g. arn:aws:iam::aws:policy/ReadOnlyAccess)

Examples 

# Attach the AWS-managed AmazonBedrockFullAccess policy
tapit create managed_iam_policy name=bedrock policy_arn=arn:aws:iam::aws:policy/AmazonBedrockFullAccess

List IAM Policies 

tapit  list addons

Shows all add-ons including IAM policies. Look for entries with type iam-policy.

Delete IAM Policy 

tapit delete addon name=policy_name

Removes an IAM policy from your application. The policy will be detached from all application processes.

Environment Integration

Automatic Role Assignment

When you import an IAM policy, Tapitalee automatically:

  1. Creates an IAM policy in your AWS account
  2. Attaches the policy to your application’s IAM role — this role is shared by every container and EC2 instance in your app
SSH Server Add-on