When creating a IAM user for salt-cloud, what are the minimum rights to give it so that it can do its job following the principle of least privilege?
I just need to create EC2 instances, using a map file: however I don't know enough salt-cloud to be sure of the actual operations it performs.
I would prefer to use a predefined policy, if it exists.
I was curious about this myself so took a look in the salt-cloud source (salt/cloud/clouds/ec2.py
). Interestingly they don't use the boto
library to make calls to AWS, opting instead to carve the requests themselves and the way they've done it makes it really easy to extract the actions that you'd need to have permissions for.
This one-liner pulls out all the actions
grep "'Action':" cloud/clouds/ec2.py | awk '{print $4;}' | sed "s/[},']//g" | sort | uniq
As you can see it's a fairly substantial subset of all the available EC2 permissions.
AllocateAddress
AssociateAddress
AttachVolume
CancelSpotInstanceRequests
CopySnapshot
CreateKeyPair
CreateSnapshot
CreateTags
CreateVolume
DeleteKeyPair
DeleteSnapshot
DeleteTags
DeleteVolume
DescribeAvailabilityZones
DescribeImages
DescribeInstanceAttribute
DescribeInstanceTypes
DescribeInstances
DescribeKeyPairs
DescribeRegions
DescribeSnapshots
DescribeSpotInstanceRequests
DescribeSubnets
DescribeTags
DescribeVolumes
DescribeZones
DetachVolume
GetConsoleOutput
GetPasswordData
ImportKeyPair
ModifyInstanceAttribute
ModifyNetworkInterfaceAttribute
RebootInstance
RebootInstances
RegisterImage
RequestSpotInstances
RunInstances
StartInstance
StartInstances
StopInstances
TerminateInstances
Naturally you could use salt to create an IAM profile for you with these ;)