Minimal set of privileges to run Flight template


#1

Hello, as AWS account holder, if I want to allow a user to run a flight template through Cloud Formation, what would be the minimal set of privileges? I created an account which can do that but I ended up with all sorts of things that I had to add. Thank you for sharing your wisdom! : )


#2

Hi @ink,

Flight Compute Solo needs to create a comprehensive set of resources and, as you’ve discovered, you’ll need to add actions to create and manipulate many types of resource to allow a non-root or administrative user to launch (and subsequently terminate!) a cluster.

For reference, here is the list of actions that are needed within an IAM policy to allow a user to launch a Flight Compute cluster using the AWS CLI tool:

autoscaling:CreateAutoScalingGroup
autoscaling:CreateLaunchConfiguration
autoscaling:DeleteAutoScalingGroup
autoscaling:DeleteLaunchConfiguration
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:UpdateAutoScalingGroup
cloudformation:CreateStack
cloudformation:DeleteStack
ec2:AssociateDhcpOptions
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:CreateDhcpOptions
ec2:CreateInternetGateway
ec2:CreateNetworkAcl
ec2:CreateNetworkAclEntry
ec2:CreatePlacementGroup
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVpc
ec2:DeleteDhcpOptions
ec2:DeleteInternetGateway
ec2:DeleteNetworkAcl
ec2:DeleteNetworkAclEntry
ec2:DeletePlacementGroup
ec2:DeleteRoute
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
ec2:DeleteSubnet
ec2:DeleteVpc
ec2:DescribeDhcpOptions
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeNetworkAcls
ec2:DescribePlacementGroups
ec2:DescribeRouteTables
ec2:DescribeRoutes
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DetachInternetGateway
ec2:DisassociateRouteTable
ec2:ModifyInstanceAttribute
ec2:ModifyVpcAttribute
ec2:ReplaceNetworkAclAssociation
ec2:RevokeSecurityGroupEgress
ec2:RunInstances
ec2:TerminateInstances
iam:AddRoleToInstanceProfile
iam:CreateInstanceProfile
iam:CreateRole
iam:DeleteInstanceProfile
iam:DeleteRole
iam:DeleteRolePolicy
iam:PassRole
iam:PutRolePolicy
iam:RemoveRoleFromInstanceProfile
s3:GetObject

Note that the majority of these actions do not support resource-level permissions so may allow the user to create more resources than you intend! We’d recommend that you refer to the AWS IAM documentation for more details.


#3

Thank you and yes, I’m aware of that. I’m thinking about some sort of proxy mechanism using which a user can trigger an action through e.g. a lambda which will have all the required privileges.


#4

I had to supplement your list with a few actions in order to be able to create a stack but it works essentially. I was even able to create my fist lambda which creates a stack.
However the deletion is not clean and since I can delete cleanly with my other account the reason must be with the set of privileges but I can’t figure out what exactly. Any ideas?

The following resource(s) failed to delete: [PlacementGroup, FlightComputeGroup, ComputeGroupConfig].

#5

It looks like

autoscaling:DescribeScalingActivities

was missing for clean deletion. I’ve also added these but they may be needed just for the console access

cloudformation:ListStacks
cloudformation:GetTemplateSummary
cloudformation:DescribeStackEvents
SNS:ListTopics