[DOCS-4085] Document the minimal IAM permissions necessary for the key given to MMS Automation Created: 25/Sep/14  Updated: 16/Mar/15  Resolved: 04/Oct/14

Status: Closed
Project: Documentation
Component/s: Cloud Manager
Affects Version/s: None
Fix Version/s: v1.3.12

Type: Task Priority: Critical - P2
Reporter: Cadran Cowansage Assignee: Bob Grabar
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 9 years, 19 weeks, 4 days ago

 Description   

For provisioning/automation:

When a user gives us keys to their AWS account, those keys are associated with a particular AWS IAM user. That user must have a minimum set of permissions in order for MMS to successfully provision machines. If not, provisioning will fail because it is not authorized to complete api requests with Amazon.

The user should have an IAM user policy with the below actions included at a minimum

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1411574112000",
      "Effect": "Allow",
      "Action": ["iam:*AccessKey*"],
      "Resource": ["arn:aws:iam::*:user/mms-build"]
    },
 
    {
      "Sid": "SomeOtherId",
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:CreateKeyPair",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteKeyPair",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstanceAttribute",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcs",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumeStatus",
        "ec2:DescribeVolumes",
        "ec2:ImportKeyPair",
        "ec2:RunInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",	  
        "ec2:RebootInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}



 Comments   
Comment by Githook User [ 04/Oct/14 ]

Author:

{u'username': u'bgrabar', u'name': u'Bob Grabar', u'email': u'bob.grabar@10gen.com'}

Message: DOCS-4085 setting correct permissions for aws user
Branch: master
https://github.com/10gen/mms-docs/commit/9e118a29c8928f83ada7825cb99fae5664fd4948

Generated at Thu Feb 08 07:47:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.