To use the following template:

1) Remove the comments since JSON doesn’t allow comments

2) Replace the Python-style args with string values


These are the minimum IAM role settings for a CycleCloud instance and still have it fully functional:


{

    ///////////////////////////////////////////////////////////////////////////

    // Python template string-style args

    //

    // bucket   : name of the Locker bucket

    // prefixes : comma separated list of allowed paths

    // iam_profile_arn : comma separated list of IAM Instance Profile ARNs for cluster node roles

    // vpc_region : region for the VPC to start instances in

    // vpc_account_id : account id for the VPC to start instances in

    // vpc_allowed_subnet_arns : comma separated list of subnet ARNs to start instances in 

    // vpc_allowed_instance_arns : comma separated list of AMI ARNs to allow for instances 

    // kms_allowed_keypair_arns : comma separated list of KMS Keypair ARNs to allow instance access

    //

    "Version": "2012-10-17",

    "Statement": [

        

        ///////////////////////////////////////////////////////////////////////////

        // OPTIONAL S3 IAM Limits

        //

        // IMPORTANT: 1) prefixes list should always consiste of pairs of [path, path/*], ex.:

        //               cluster_init_pair = ["my_locker/cluster-init", "my_locker/cluster-init/*"]

        //         

        //               Full locker access might be:

        //               bucket = "com.my_company.my_locker"

        //               ["my_locker/blackboard", "my_locker/blackboard/*",

        //                "my_locker/cluster-init", "my_locker/cluster-init/*",

        //                "my_locker/chef", "my_locker/chef/*",

        //                "my_locker/projects", "my_locker/projects/*"]

        //

        //            2) if locking down S3 access, don't forget to add access to the

        //               common-chef-repo bucket and prefix

        //

        //            3) pogo generally requires HEAD access to the bucket (you can disable this

        //               but it puts regionalization questions onto the user)

        //

        //

        // Optional : Allow bucket-level access to HEAD (Get-Location and other metadata)

        {

            "Action": [

                "s3:GetBucketLocation",

                "s3:ListBucket"

            ],

            "Effect": "Allow",

            "Resource": [

                "%{bucket}s",

                "%{bucket}s/*"

            ],

            "Condition": {

                "Null": { "s3:prefix": true }

            }

        },

        // Optional : Limit S3 Write Access to specific prefixes

        {

            "Action": [

                "s3:PutObject"

            ],

            "Effect": "Allow",

            "Resource":  [ "%{bucket}s/%{write_prefix}s" ] // Can be a list of prefixes

        },

        // Optional : Limit S3 Read Access to specific prefixes

        {

            "Action": [

                "s3:GetObject"

            ],

            "Effect": "Allow",

            "Resource":  [ "%{bucket}s/%{read_prefix}s" ] // Can be a list of prefixes

        },

        // Optional : Limit S3 List Access to specific prefixes

        {

            "Action": [

                "s3:ListBucket"

            ],

            "Effect": "Allow",

            "Resource": [ "%{bucket}s" ],

            "Condition": {

                "StringLike": {

                    "s3:prefix": %{list_prefix}s

                }

            }

        },

        //

        // END OPTIONAL S3 IAM Limits

        ///////////////////////////////////////////////////////////////////////////



        ///////////////////////////////////////////////////////////////////////////

        // IAM Pass Role

        //        


        {

            "Effect": "Allow",

            "Action": "iam:PassRole",

            "Resource": [ %{iam_profile_arn}s ],

        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "spot.amazonaws.com"
                }
            }
        },


        ///////////////////////////////////////////////////////////////////////////

        // EC2 Access Limits

        //        


        // ACCOUNT-LEVEL CAPABILITIES  

        // - The reason to limit these is that they cannot be effectively limited by 

        //   Condition or Resource

        // - (some of these can be removed if features are not required)

        //

        // RECOMMENDED CAPABILITIES

        {

            "Effect": "Allow",            

            "Action": [

                "ec2:AllocateAddress",

                "ec2:AssignPrivateIpAddresses",

                "ec2:AssociateAddress",

                "ec2:AttachNetworkInterface",

                "ec2:AttachVolume",

                "ec2:CreateNetworkInterface",

                "ec2:CreatePlacementGroup",

                "ec2:CreateSecurityGroup",

                "ec2:CreateVolume",

                "ec2:DeleteVolume",

                "ec2:DetachVolume",

                "ec2:DisassociateAddress",

                "ec2:GetPasswordData",

                "ec2:ReleaseAddress",

                "ec2:RequestSpotInstances"

            ],

            "Resource": "*"

        },

        // MINIMAL CAPABILITIES

        {

            "Effect": "Allow",

            "Action": [

                "ec2:CancelSpotInstanceRequests",

                "ec2:ConfirmProductInstance",

                "ec2:CreateSecurityGroup",

                "ec2:CreateTags",

                "ec2:DeleteTags",

                "ec2:DescribeAccountAttributes",

                "ec2:DescribeAddresses",

                "ec2:DescribeAvailabilityZones",

                "ec2:DescribeImageAttribute",

                "ec2:DescribeImages",

                "ec2:DescribeInstanceAttribute",

                "ec2:DescribeInstanceStatus",

                "ec2:DescribeInstances",

                "ec2:DescribeKeyPairs",

                "ec2:DescribeRegions",

                "ec2:DescribeSecurityGroups",

                "ec2:DescribeSpotDatafeedSubscription",

                "ec2:DescribeSpotInstanceRequests",

                "ec2:DescribeSpotPriceHistory",

                "ec2:DescribeSubnets",

                "ec2:DescribeTags",

                "ec2:DescribeVolumeAttribute",

                "ec2:DescribeVolumeStatus",

                "ec2:DescribeVolumes",

                "ec2:DescribeVolumeStatus",

                "ec2:DescribeVolumes",

                "ec2:ModifyInstanceAttribute",

            ],

            "Resource": "*",

        },


        // INSTANCE ACTIONS

        // - Limit to instances started by a CC

        {

            "Action": [

                "ec2:RebootInstances",

                "ec2:StartInstances",

                "ec2:StopInstances",

                "ec2:TerminateInstances",

                "ec2:AuthorizeSecurityGroupEgress",

                "ec2:AuthorizeSecurityGroupIngress",

                "ec2:DeleteSecurityGroup",

                "ec2:RevokeSecurityGroupEgress",

                "ec2:RevokeSecurityGroupIngress"

            ],

            "Effect": "Allow",

            "Resource": "*",

          "Condition": {

                "StringLike": {

                    "ec2:ResourceTag/CycleOwner": "*@*"

                }

            }

        },


        // START INSTANCE ACTION

        // - Resource lock-down level is up-to the end user, this shows about the max. lock-down

        {

            "Action": [

                "ec2:RunInstances"

            ],

            "Effect": "Allow",

            "Resource": [                

                "arn:aws:ec2:%{vpc_region}s:%{vpc_account_id}s:instance/*",

                "arn:aws:ec2:%{vpc_region}s:%{vpc_account_id}s:network-interface/*",

                "arn:aws:ec2:%{vpc_region}s:%{vpc_account_id}s:volume/*",

                "arn:aws:ec2:%{vpc_region}s:%{vpc_account_id}s:security-group/*",

                %{vpc_allowed_subnet_arns}s,

                %{vpc_allowed_instance_arns}s,

                %{kms_allowed_keypair_arns}s,

            ]

        }        

    ]


}