AWS IAM User Account Permissions

Simon_Macpherso — Mon, 24 Jul 2023 05:20:58 GMT

Hello,

What are the minimum AWS IAM user account permissions required for deploying a single gateway and cluster via Terraform?

Regards,

Simon

Re: AWS IAM User Account Permissions

Roman_Kats — Mon, 24 Jul 2023 15:33:13 GMT

Hello Simon,
While we are working to prepare the detailed minimum required permissions for IAM user in general there should be

For Gateway:
1. Read + Write permissions for EC2

2. Read + Write permissions for VPC

3. Read permissions for S3

For Cluster:
1. Read + Write permissions for EC2

2. Read + Write permissions for VPC

3. Read + Write permissions for IAM

4. Read permissions for S3

Re: AWS IAM User Account Permissions

Simon_Macpherso — Mon, 24 Jul 2023 23:54:34 GMT

Hi @Roman_Kats

Once created, can you please post the location to the reference document where the minimum required permissions for an IAM user will been outlined.

Regards,

Simon

Re: AWS IAM User Account Permissions

Roman_Kats — Tue, 25 Jul 2023 09:19:48 GMT

@Simon_Macpherso
Yes, I will

Re: AWS IAM User Account Permissions

Simon_Macpherso — Fri, 15 Sep 2023 05:53:29 GMT

@Roman_Kats Any update?

Re: AWS IAM User Account Permissions

yizhako — Sun, 12 Nov 2023 15:05:27 GMT

Hello Simon,

Apologies for the delayed response.

The minimum AWS IAM user account permissions required for deploying a single gateway and cluster using Terraform are (attached are the Permissions policies JSON files for each deployment):

Template	Premmision
cluster-master	ec2:DescribeTags ec2:ReleaseAddress ec2:DescribeInstanceAttribute ec2:DeleteSecurityGroup ec2:DescribeInstances ec2:DescribeVpcs ec2:DescribeRouteTables ec2:CreateLocalGatewayRouteTable ec2:TerminateInstances ec2:CreateTags ec2:DescribeVolumes ec2:ModifyNetworkInterfaceAttribute ec2:DetachInternetGateway ec2:DisassociateAddress ec2:CreateInternetGateway ec2:DeleteVpc ec2:DeleteInternetGateway ec2:AttachInternetGateway ec2:DescribeInternetGateways ec2:ModifySubnetAttribute ec2:RevokeSecurityGroupEgress ec2:DeleteNetworkInterface ec2:DescribeInstanceTypes ec2:DescribeVpcClassicLinkDnsSupport ec2:RunInstances ec2:DeleteRouteTable ec2:DeleteSubnet ec2:ModifyVpcAttribute ec2:AssociateRouteTable ec2:DescribeAvailabilityZones ec2:AuthorizeSecurityGroupIngress ec2:CreateRoute ec2:AssociateAddress ec2:DescribeSubnets ec2:DescribeVpcClassicLink ec2:CreateSubnet ec2:DetachNetworkInterface ec2:CreateSecurityGroup ec2:DescribeAddresses ec2:DescribeVpcAttribute ec2:DisassociateRouteTable ec2:DescribeSecurityGroups ec2:DescribeRegions ec2:DeleteRoute ec2:DescribeKeyPairs ec2:DescribeNetworkAcls ec2:AttachNetworkInterface ec2:CreateNetworkInterface ec2:AuthorizeSecurityGroupEgress ec2:CreateVpc ec2:AllocateAddress ec2:CreateRouteTable ec2:DescribeAccountAttributes ec2:DescribeNetworkInterfaces cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate cloudformation:CreateStack cloudformation:ListStackResources iam:ListInstanceProfilesForRole iam:AttachRolePolicy iam:DeletePolicy iam:DetachRolePolicy iam:GetPolicy iam:DeleteRole iam:GetInstanceProfile iam:ListRolePolicies iam:CreatePolicy iam:PutRolePolicy iam:CreateRole iam:CreateInstanceProfile iam:GetPolicyVersion iam:DeleteInstanceProfile iam:GetRole iam:DeleteRolePolicy iam:PassRole iam:AddRoleToInstanceProfile iam:ListAttachedRolePolicies iam:ListPolicyVersions iam:RemoveRoleFromInstanceProfile
cluster	ec2:DisassociateRouteTable ec2:CreateTags ec2:DeleteSecurityGroup ec2:ModifyNetworkInterfaceAttribute ec2:DescribeVpcs ec2:AssociateRouteTable ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:RevokeSecurityGroupEgress ec2:AssociateAddress ec2:AllocateAddress ec2:AuthorizeSecurityGroupIngress ec2:DisassociateAddress ec2:DescribeVolumes ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeInstanceAttribute ec2:AuthorizeSecurityGroupEgress ec2:CreateRoute ec2:DescribeTags ec2:DescribeKeyPairs ec2:DetachNetworkInterface ec2:DescribeInstanceTypes ec2:CreateSecurityGroup ec2:ReleaseAddress ec2:RunInstances ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:TerminateInstances ec2:DescribeSubnets iam:ListAttachedRolePolicies iam:AddRoleToInstanceProfile iam:DeleteInstanceProfile iam:CreateRole iam:CreatePolicy iam:GetRole iam:GetInstanceProfile iam:DeletePolicy iam:ListRolePolicies iam:DeleteRole iam:ListPolicyVersions iam:PutRolePolicy iam:DetachRolePolicy iam:DeleteRolePolicy iam:CreateInstanceProfile iam:GetPolicyVersion iam:AttachRolePolicy iam:RemoveRoleFromInstanceProfile iam:ListInstanceProfilesForRole iam:GetPolicy iam:PassRole cloudformation:ListStackResources cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate
gateway-master	ec2:DisassociateRouteTable ec2:CreateTags ec2:CreateSubnet ec2:DeleteSecurityGroup ec2:ModifyNetworkInterfaceAttribute ec2:AssociateRouteTable ec2:AttachInternetGateway ec2:DescribeVpcs ec2:CreateInternetGateway ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:CreateLocalGatewayRouteTable ec2:RevokeSecurityGroupEgress ec2:AssociateAddress ec2:DescribeNetworkAcls ec2:AllocateAddress ec2:AuthorizeSecurityGroupIngress ec2:DeleteVpc ec2:DisassociateAddress ec2:DescribeAvailabilityZones ec2:DescribeVolumes ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeInternetGateways ec2:DescribeInstanceAttribute ec2:CreateVpc ec2:DeleteVolume ec2:AuthorizeSecurityGroupEgress ec2:ModifyVpcAttribute ec2:CreateRoute ec2:DescribeTags ec2:AttachNetworkInterface ec2:DescribeRegions ec2:DescribeKeyPairs ec2:DeleteSubnet ec2:DetachNetworkInterface ec2:DescribeInstanceTypes ec2:DescribeVpcClassicLinkDnsSupport ec2:DescribeAccountAttributes ec2:DeleteRouteTable ec2:CreateSecurityGroup ec2:ReleaseAddress ec2:RunInstances ec2:DescribeVpcClassicLink ec2:CreateRouteTable ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DetachInternetGateway ec2:CreateNetworkInterface ec2:DeleteInternetGateway ec2:DescribeNetworkInterfaces ec2:DescribeVpcAttribute ec2:TerminateInstances ec2:DescribeSubnets ec2:ModifySubnetAttribute iam:AddRoleToInstanceProfile iam:DeleteInstanceProfile iam:CreateRole iam:GetRole iam:DeleteRole iam:PutRolePolicy iam:DeleteRolePolicy iam:CreateInstanceProfile iam:RemoveRoleFromInstanceProfile cloudformation:ListStackResources cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate
gateway	ec2:CreateTags ec2:DeleteSecurityGroup ec2:ModifyNetworkInterfaceAttribute ec2:DescribeVpcs ec2:DeleteNetworkInterface ec2:DeleteRoute ec2:RevokeSecurityGroupEgress ec2:AssociateAddress ec2:AllocateAddress ec2:AuthorizeSecurityGroupIngress ec2:DisassociateAddress ec2:DescribeVolumes ec2:DescribeInstances ec2:DescribeAddresses ec2:DescribeInstanceAttribute ec2:AuthorizeSecurityGroupEgress ec2:CreateRoute ec2:DescribeTags ec2:DescribeKeyPairs ec2:DetachNetworkInterface ec2:DescribeInstanceTypes ec2:CreateSecurityGroup ec2:ReleaseAddress ec2:RunInstances ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:CreateNetworkInterface ec2:DescribeNetworkInterfaces ec2:TerminateInstances ec2:DescribeSubnets iam:AddRoleToInstanceProfile iam:DeleteInstanceProfile iam:CreateRole iam:DeleteRole iam:PutRolePolicy iam:DeleteRolePolicy iam:CreateInstanceProfile iam:RemoveRoleFromInstanceProfile cloudformation:ListStackResources cloudformation:CreateStack cloudformation:DescribeStacks cloudformation:DeleteStack cloudformation:ValidateTemplate

Regards,

Yizhak O.

Re: AWS IAM User Account Permissions

Simon_Macpherso — Tue, 14 Nov 2023 06:26:25 GMT

Thanks Yizhak O.

topic Re: AWS IAM User Account Permissions in Cloud Firewall

AWS IAM User Account Permissions

Re: AWS IAM User Account Permissions

Re: AWS IAM User Account Permissions

Re: AWS IAM User Account Permissions

Re: AWS IAM User Account Permissions

Re: AWS IAM User Account Permissions

Re: AWS IAM User Account Permissions