-
Type:
Task
-
Resolution: Done
-
Priority:
Critical - P2
-
Affects Version/s: None
-
Component/s: Cloud Manager
-
Labels:None
For provisioning/automation:
When a user gives us keys to their AWS account, those keys are associated with a particular AWS IAM user. That user must have a minimum set of permissions in order for MMS to successfully provision machines. If not, provisioning will fail because it is not authorized to complete api requests with Amazon.
The user should have an IAM user policy with the below actions included at a minimum
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1411574112000",
"Effect": "Allow",
"Action": ["iam:*AccessKey*"],
"Resource": ["arn:aws:iam::*:user/mms-build"]
},
{
"Sid": "SomeOtherId",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:ImportKeyPair",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Resource": [
"*"
]
}
]
}