IAM permissions for cloud-aws plugin?


(Eric Jain) #1

Does anyone know the minimum set of permissions the cloud-aws plugin
requires to work? I'm trying to restrict from EC2:All + S3:All...

[S3]
AbortMultipartUpload
CopyObject
CreateBucket
DeleteBucket
DeleteObject
DeleteObjectVersion
GetBucketAccessControlPolicy
GetBucketAcl
GetBucketLocation
GetBucketLogging
GetBucketNotification
GetBucketPolicy
GetBucketRequestPayment
GetBucketVersioning
GetLifecycleConfiguration
GetObject
GetObjectAccessControlPolicy
GetObjectAcl
GetObjectExtended
GetObjectVersion
GetObjectVersionAcl
ListAllMyBuckets
ListBucket
ListBucketMultipartUploads
ListBucketVersions
ListMultipartUploadParts
PutBucketAcl
PutBucketLogging
PutBucketNotification
PutBucketPolicy
PutBucketRequestPayment
PutBucketVersioning
PutLifecycleConfiguration
PutObject
PutObjectAcl
PutObjectInline
PutObjectVersionAcl
SetBucketAccessControlPolicy
SetObjectAccessControlPolicy

[EC2]
ActivateLicense
AllocateAddress
AssociateAddress
AssociateDhcpOptions
AssociateRouteTable
AttachInternetGateway
AttachNetworkInterface
AttachVolume
AttachVpnGateway
AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
BundleInstance
CancelBundleTask
CancelConversionTask
CancelSpotInstanceRequests
ConfirmProductInstance
CreateCustomerGateway
CreateDhcpOptions
CreateImage
CreateInternetGateway
CreateKeyPair
CreateNetworkAcl
CreateNetworkAclEntry
CreateNetworkInterface
CreatePlacementGroup
CreateRoute
CreateRouteTable
CreateSecurityGroup
CreateSnapshot
CreateSpotDatafeedSubscription
CreateSubnet
CreateTags
CreateVolume
CreateVpc
CreateVpnConnection
CreateVpnGateway
DeactivateLicense
DeleteCustomerGateway
DeleteDhcpOptions
DeleteInternetGateway
DeleteKeyPair
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteNetworkInterface
DeletePlacementGroup
DeleteRoute
DeleteRouteTable
DeleteSecurityGroup
DeleteSnapshot
DeleteSpotDatafeedSubscription
DeleteSubnet
DeleteTags
DeleteVolume
DeleteVpc
DeleteVpnConnection
DeleteVpnGateway
DeregisterImage
DescribeAddresses
DescribeAvailabilityZones
DescribeBundleTasks
DescribeConversionTasks
DescribeCustomerGateways
DescribeDhcpOptions
DescribeImageAttribute
DescribeImages
DescribeInstanceAttribute
DescribeInstanceStatus
DescribeInstances
DescribeInternetGateways
DescribeKeyPairs
DescribeLicenses
DescribeNetworkAcls
DescribeNetworkInterfaceAttribute
DescribeNetworkInterfaces
DescribePlacementGroups
DescribeRegions
DescribeReservedInstances
DescribeReservedInstancesOfferings
DescribeRouteTables
DescribeSecurityGroups
DescribeSnapshotAttribute
DescribeSnapshots
DescribeSpotDatafeedSubscription
DescribeSpotInstanceRequests
DescribeSpotPriceHistory
DescribeSubnets
DescribeTags
DescribeVolumes
DescribeVpcs
DescribeVpnConnections
DescribeVpnGateways
DetachInternetGateway
DetachNetworkInterface
DetachVolume
DetachVpnGateway
DisassociateAddress
DisassociateRouteTable
GetConsoleOutput
GetPasswordData
ImportInstance
ImportKeyPair
ImportVolume
ModifyImageAttribute
ModifyInstanceAttribute
ModifyNetworkInterfaceAttribute
ModifySnapshotAttribute
MonitorInstances
PurchaseReservedInstancesOffering
RebootInstances
RegisterImage
ReleaseAddress
ReplaceNetworkAclAssociation
ReplaceNetworkAclEntry
ReplaceRoute
ReplaceRouteTableAssociation
ReportInstanceStatus
RequestSpotInstances
ResetImageAttribute
ResetInstanceAttribute
ResetNetworkInterfaceAttribute
ResetSnapshotAttribute
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress
RunInstances
StartInstances
StopInstances
TerminateInstances
UnmonitorInstances


(Alex Lambert-2) #2

We are using this policy:

{

"Statement": [
{
"Action": [
"s3:"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/
"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "EC2:Describe*",
"Resource": "*"
}
]
}

Cheers,
Alex

On Tuesday, May 22, 2012 7:13:32 PM UTC-4, Eric Jain wrote:

Does anyone know the minimum set of permissions the cloud-aws plugin
requires to work? I'm trying to restrict from EC2:All + S3:All...

[S3]
AbortMultipartUpload
CopyObject
CreateBucket
DeleteBucket
DeleteObject
DeleteObjectVersion
GetBucketAccessControlPolicy
GetBucketAcl
GetBucketLocation
GetBucketLogging
GetBucketNotification
GetBucketPolicy
GetBucketRequestPayment
GetBucketVersioning
GetLifecycleConfiguration
GetObject
GetObjectAccessControlPolicy
GetObjectAcl
GetObjectExtended
GetObjectVersion
GetObjectVersionAcl
ListAllMyBuckets
ListBucket
ListBucketMultipartUploads
ListBucketVersions
ListMultipartUploadParts
PutBucketAcl
PutBucketLogging
PutBucketNotification
PutBucketPolicy
PutBucketRequestPayment
PutBucketVersioning
PutLifecycleConfiguration
PutObject
PutObjectAcl
PutObjectInline
PutObjectVersionAcl
SetBucketAccessControlPolicy
SetObjectAccessControlPolicy

[EC2]
ActivateLicense
AllocateAddress
AssociateAddress
AssociateDhcpOptions
AssociateRouteTable
AttachInternetGateway
AttachNetworkInterface
AttachVolume
AttachVpnGateway
AuthorizeSecurityGroupEgress
AuthorizeSecurityGroupIngress
BundleInstance
CancelBundleTask
CancelConversionTask
CancelSpotInstanceRequests
ConfirmProductInstance
CreateCustomerGateway
CreateDhcpOptions
CreateImage
CreateInternetGateway
CreateKeyPair
CreateNetworkAcl
CreateNetworkAclEntry
CreateNetworkInterface
CreatePlacementGroup
CreateRoute
CreateRouteTable
CreateSecurityGroup
CreateSnapshot
CreateSpotDatafeedSubscription
CreateSubnet
CreateTags
CreateVolume
CreateVpc
CreateVpnConnection
CreateVpnGateway
DeactivateLicense
DeleteCustomerGateway
DeleteDhcpOptions
DeleteInternetGateway
DeleteKeyPair
DeleteNetworkAcl
DeleteNetworkAclEntry
DeleteNetworkInterface
DeletePlacementGroup
DeleteRoute
DeleteRouteTable
DeleteSecurityGroup
DeleteSnapshot
DeleteSpotDatafeedSubscription
DeleteSubnet
DeleteTags
DeleteVolume
DeleteVpc
DeleteVpnConnection
DeleteVpnGateway
DeregisterImage
DescribeAddresses
DescribeAvailabilityZones
DescribeBundleTasks
DescribeConversionTasks
DescribeCustomerGateways
DescribeDhcpOptions
DescribeImageAttribute
DescribeImages
DescribeInstanceAttribute
DescribeInstanceStatus
DescribeInstances
DescribeInternetGateways
DescribeKeyPairs
DescribeLicenses
DescribeNetworkAcls
DescribeNetworkInterfaceAttribute
DescribeNetworkInterfaces
DescribePlacementGroups
DescribeRegions
DescribeReservedInstances
DescribeReservedInstancesOfferings
DescribeRouteTables
DescribeSecurityGroups
DescribeSnapshotAttribute
DescribeSnapshots
DescribeSpotDatafeedSubscription
DescribeSpotInstanceRequests
DescribeSpotPriceHistory
DescribeSubnets
DescribeTags
DescribeVolumes
DescribeVpcs
DescribeVpnConnections
DescribeVpnGateways
DetachInternetGateway
DetachNetworkInterface
DetachVolume
DetachVpnGateway
DisassociateAddress
DisassociateRouteTable
GetConsoleOutput
GetPasswordData
ImportInstance
ImportKeyPair
ImportVolume
ModifyImageAttribute
ModifyInstanceAttribute
ModifyNetworkInterfaceAttribute
ModifySnapshotAttribute
MonitorInstances
PurchaseReservedInstancesOffering
RebootInstances
RegisterImage
ReleaseAddress
ReplaceNetworkAclAssociation
ReplaceNetworkAclEntry
ReplaceRoute
ReplaceRouteTableAssociation
ReportInstanceStatus
RequestSpotInstances
ResetImageAttribute
ResetInstanceAttribute
ResetNetworkInterfaceAttribute
ResetSnapshotAttribute
RevokeSecurityGroupEgress
RevokeSecurityGroupIngress
RunInstances
StartInstances
StopInstances
TerminateInstances
UnmonitorInstances


(Eric Jain) #3

Thanks--just what I was looking for.

On Tue, May 22, 2012 at 8:58 PM, Alex Lambert alex@spindle.com wrote:

We are using this policy:

{
"Statement": [
{
"Action": [
"s3:"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/
"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "EC2:Describe*",
"Resource": "*"
}
]
}


(system) #4