amazon-ec2salt-projectsalt-cloud

AWS IAM Policy to give to salt-cloud user


When creating a IAM user for salt-cloud, what are the minimum rights to give it so that it can do its job following the principle of least privilege?

I just need to create EC2 instances, using a map file: however I don't know enough salt-cloud to be sure of the actual operations it performs.

I would prefer to use a predefined policy, if it exists.


Solution

  • I was curious about this myself so took a look in the salt-cloud source (salt/cloud/clouds/ec2.py). Interestingly they don't use the boto library to make calls to AWS, opting instead to carve the requests themselves and the way they've done it makes it really easy to extract the actions that you'd need to have permissions for.

    This one-liner pulls out all the actions

    grep "'Action':" cloud/clouds/ec2.py | awk '{print $4;}' | sed "s/[},']//g" | sort | uniq
    

    As you can see it's a fairly substantial subset of all the available EC2 permissions.

    AllocateAddress
    AssociateAddress
    AttachVolume
    CancelSpotInstanceRequests
    CopySnapshot
    CreateKeyPair
    CreateSnapshot
    CreateTags
    CreateVolume
    DeleteKeyPair
    DeleteSnapshot
    DeleteTags
    DeleteVolume
    DescribeAvailabilityZones
    DescribeImages
    DescribeInstanceAttribute
    DescribeInstanceTypes
    DescribeInstances
    DescribeKeyPairs
    DescribeRegions
    DescribeSnapshots
    DescribeSpotInstanceRequests
    DescribeSubnets
    DescribeTags
    DescribeVolumes
    DescribeZones
    DetachVolume
    GetConsoleOutput
    GetPasswordData
    ImportKeyPair
    ModifyInstanceAttribute
    ModifyNetworkInterfaceAttribute
    RebootInstance
    RebootInstances
    RegisterImage
    RequestSpotInstances
    RunInstances
    StartInstance
    StartInstances
    StopInstances
    TerminateInstances   
    

    Naturally you could use salt to create an IAM profile for you with these ;)