Define IAM permissions required for creating AWS instances #429
Assignees
Labels
Comments
ivyleavedtoadflax
changed the title
|
We don't have yet a public reference for permissions, but this template should be a good starting point: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:{{account}}:instance/*",
"arn:aws:ec2:*:{{account}}:key-pair/*",
"arn:aws:ec2:*:{{account}}:network-interface/*",
"arn:aws:ec2:*:{{account}}:security-group/*",
"arn:aws:ec2:*:{{account}}:subnet/*",
"arn:aws:ec2:*:{{account}}:volume/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:RequestSpotInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "{{region}}"
}
}
},
{
"Effect": "Allow",
"Action": [
"config:ListDiscoveredResources",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:{{account}}:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:Region": "{{region}}"
}
}
}
]
} |
|
Wow that was quick. Thanks 👍 |
|
duplicated of iterative/terraform-provider-iterative#75 |
This was referenced Jul 8, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is it possible to publish an IAM policy detailing the minimal set of permissions required to run cml-runners on AWS?
It would be good to lock down the permissions, and i thought I would ask before I start with trial and error!
The text was updated successfully, but these errors were encountered: