Hello, as AWS account holder, if I want to allow a user to run a flight template through Cloud Formation, what would be the minimal set of privileges? I created an account which can do that but I ended up with all sorts of things that I had to add. Thank you for sharing your wisdom! : )
Flight Compute Solo needs to create a comprehensive set of resources and, as you’ve discovered, you’ll need to add actions to create and manipulate many types of resource to allow a non-root or administrative user to launch (and subsequently terminate!) a cluster.
For reference, here is the list of actions that are needed within an IAM policy to allow a user to launch a Flight Compute cluster using the AWS CLI tool:
autoscaling:CreateAutoScalingGroup autoscaling:CreateLaunchConfiguration autoscaling:DeleteAutoScalingGroup autoscaling:DeleteLaunchConfiguration autoscaling:DescribeAutoScalingGroups autoscaling:DescribeLaunchConfigurations autoscaling:UpdateAutoScalingGroup cloudformation:CreateStack cloudformation:DeleteStack ec2:AssociateDhcpOptions ec2:AssociateRouteTable ec2:AttachInternetGateway ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateDhcpOptions ec2:CreateInternetGateway ec2:CreateNetworkAcl ec2:CreateNetworkAclEntry ec2:CreatePlacementGroup ec2:CreateRoute ec2:CreateRouteTable ec2:CreateSecurityGroup ec2:CreateSubnet ec2:CreateTags ec2:CreateVpc ec2:DeleteDhcpOptions ec2:DeleteInternetGateway ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:DeletePlacementGroup ec2:DeleteRoute ec2:DeleteRouteTable ec2:DeleteSecurityGroup ec2:DeleteSubnet ec2:DeleteVpc ec2:DescribeDhcpOptions ec2:DescribeInstances ec2:DescribeInternetGateways ec2:DescribeKeyPairs ec2:DescribeNetworkAcls ec2:DescribePlacementGroups ec2:DescribeRouteTables ec2:DescribeRoutes ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs ec2:DetachInternetGateway ec2:DisassociateRouteTable ec2:ModifyInstanceAttribute ec2:ModifyVpcAttribute ec2:ReplaceNetworkAclAssociation ec2:RevokeSecurityGroupEgress ec2:RunInstances ec2:TerminateInstances iam:AddRoleToInstanceProfile iam:CreateInstanceProfile iam:CreateRole iam:DeleteInstanceProfile iam:DeleteRole iam:DeleteRolePolicy iam:PassRole iam:PutRolePolicy iam:RemoveRoleFromInstanceProfile s3:GetObject
Note that the majority of these actions do not support resource-level permissions so may allow the user to create more resources than you intend! We’d recommend that you refer to the AWS IAM documentation for more details.
Thank you and yes, I’m aware of that. I’m thinking about some sort of proxy mechanism using which a user can trigger an action through e.g. a lambda which will have all the required privileges.
I had to supplement your list with a few actions in order to be able to create a stack but it works essentially. I was even able to create my fist lambda which creates a stack.
However the deletion is not clean and since I can delete cleanly with my other account the reason must be with the set of privileges but I can’t figure out what exactly. Any ideas?
The following resource(s) failed to delete: [PlacementGroup, FlightComputeGroup, ComputeGroupConfig].
It looks like
was missing for clean deletion. I’ve also added these but they may be needed just for the console access
cloudformation:ListStacks cloudformation:GetTemplateSummary cloudformation:DescribeStackEvents SNS:ListTopics