Reputation: 117615
What permissions should I grant an IAM so that it may create instances and manage them?
I want to create an IAM user that is allowed to create new instances and fully manage them (including terminate them), but has no access to any other instances. I tried the following (the iam user name is auto-provision):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["ec2:*"],
"Resource":"*",
"Condition": {
"StringEquals": {
"ec2:Owner": "auto-provision"
}
}
}
]
}
This doesn't work as expected. The user can create an instance fine, but has no access to manage it. I assume my Condition in the last statement doesn't work because an "owner" is the entire account and not the user?
Upvotes: 1
Views: 178
Answers (1)
Reputation: 117615
I found a work around for this, with some suggestions from Assaf Lavie in the comments.
First I created a placement-group called auto-provision-placement-group. Then I changed my policy file to something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":["ec2:*"],
"Resource":"*",
"Condition": {
"StringEquals": {
"ec2:PlacementGroup": "arn:aws:ec2:eu-west-1:111111111111:placement-group/auto-provision-placement-group"
}
}
}
]
}
When launching new instances, I assign the relevant placement group. E.g. (using Ruby fog):
fog.compute.servers.create(:placement_group => 'auto-provision-placement-group', ...)
The servers are created into the placement group, which is then used to control access to most functions. I deliberately allowed full access to tags, since I use it to identify ownership of machines. The placement-group then becomes my "access control".
A hack, but it works.
Upvotes: 1
Related Questions
- What are the permission required for EC2 create Instance
- What kind of permission do I need if I'm part of an IAM group to create an EMR cluster on AWS?
- AWS IAM is failing with missing permissions that are unrecognized by AWS
- Conditions for an AWS IAM Role
- Meta permissions around creating roles in AWS IAM?
- IAM policy with ec2 full access not allowing to create EC2 instances
- Create an IAM user to give access to perform certain tasks in AWS EC2
- Allowing AWS IAM users create RDS instances
- Adding permission to IAM role
- Permission to not allow IAM USER instance to create new instance