Required Permissions
 There are several steps that require a user with broad permissions. This user will be referred to throughout the documentation as the AWS Administrator. This person is commonly part of central IT at an institution.
|
The person running the templates must have permissions that allow them to provision the resources created by the templates. Specifically, the user must be able to:
- create EC2 cluster through ECS
- request an S3 bucket
- create EFS mounts
- set up IAM access roles
Your AWS Administrator will grant you permissions based on the information in section Steps the AWS Administrator needs to complete.
Reference: Configuration and creditial file settings
Once the AWS Administrator grants you access, they will provide you with credentials to add to the .aws/credentials file. If this file doesn't exist, see the reference for the correct place to add it based on your operating system. You will need to give the credentials a profile name (e.g. lookup-cloudformation-user). The entry will be in the form:
[lookup-cloudformation-user]
region=us-east-1
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
You will need to set the region to the one used by your institution.
|
The AWS Administrator will also provide you with:
- role-arn - the value to use for
--role-arnwhen executing the commands to run the templates (e.g.arn:aws:iam::<your_account_id>:role/lookup-mgr-role)
The remainder of this document includes information and instructions for the AWS Administrator to create the required permissions. Provide this document to your AWS Administrator at your institution so they can grant you the permissions you will need to run the templates.
 WARNING: The CloudFormation templates provided here will run perfectly when launched by a user with full admin access. It is not a security best practice to allow an admin user to run CloudFormation templates, because of the potential damage that a poorly written or malicious template can do to your account. The proper way to run CloudFormation templates is to launch them with a user that has access to the CloudFormation service, and the privilege to pass the operations through a role that CloudFormation assumes on their behalf. This role then carries the least amount of privileges necessary to create and/or destroy the resources in the template.
|
The following IAM policies are intended to provide information for creating a user/role with the least amount of privileges required to run the templates.
Use the web console to create an IAM user that will be used to manage the stacks for the lookup server. Click the "Add user" button and name the user. Assign a name to the user (e.g. lookup-mgr-user). The example name will be used throughout this document. You can name this user whatever you like, but for this example we will be naming the user lookup-mgr-user.
This user can be a web console user, but it is highly recommended that you create a programmatic access user, for use with the AWS CLI. Click on "Next:Permissions" to continue.
Select "Attach existing policies directly" and then click "Create policy". Click the JSON tab and paste in the following policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DescribeStacks",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"iam:PassRole"
],
"Resource": "*"
}
]
}
This policy will allow the user to launch, update, and delete the CloudFormation stacks that are defined by the templates in this repository. Click "Next:Tags" and then "Next:Review" to create the policy, giving the policy an appropriate name. Return to your IAM user screen and find the policy you have just created, and select it to assign the policy to your user. Then click "Next:Tags", then "Next:Review", and finally "Create user".
Download the access key ID and the secret access key for the user and provide them to the person who will be running the templates. They will need to update their .aws/credentials file to add these under a profile name (e.g. [lookup-cloudformation-user]).
Once the user lookup-mgr-user is installed in their AWS CLI tool, they should be able to launch the templates with a command resembling:
aws cloudformation create-stack --stack-name qa-server --profile lookup-mgr-user
However, the template will immediately fail with a permissions error, because the user does not have permissions to create any of the resources within the stacks. That is accomplished by creating a role that has all of those permissions, and the user will pass that role to the service.
Use the web console to create an IAM role that the service will assume. First, click on the "Create role" button and select "AWS Service", and from the list of services select CloudFormation. Click "Next: Permissions" and then click "Create policy". Click on the JSON tab and paste in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DetachNetworkInterface",
"ecs:DescribeClusters",
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeServices",
"ecs:CreateService",
"ecs:DeleteService",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:ModifyMountTargetSecurityGroups",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeAccessPoints",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeAutoScalingInstances",
"acm:RequestCertificate",
"acm:DescribeCertificate",
"acm:DeleteCertificate",
"iam:CreateRole",
"iam:ListRoleTags",
"iam:getRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:GetRole",
"iam:PassRole",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteLogGroup",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutBucketPublicAccessBlock",
"datasync:CreateLocationEfs",
"datasync:CreateLocationS3",
"datasync:CreateTask",
"datasync:DeleteLocation",
"datasync:DescribeLocationS3",
"datasync:DescribeLocationEfs",
"datasync:DescribeTask",
"datasync:ListTagsForResource",
"datasync:DeleteTask"
],
"Resource": "*"
}
]
}
Click on "Next:Tags" and then "Next:Review" to create the policy, giving the policy an appropriate name.
Return to the IAM role screen and find the policy you have just created, and select it to assign the policy to your role. Then click "Next:Tags", then "Next:Review", and finally "Create role". Assign a name to the role (e.g. lookup-mgr-role).
Once the role has been created, click on it to view the role summary page, and the first item will be the "Role ARN", copy it. You should now be able to pass the arn of this role from lookup-mgr-user to CloudFormation using the command line, like this:
aws cloudformation create-stack --stack-name lookup-resources
--profile lookup-mgr-user
--role-arn arn:aws:iam::<your_account_id>:role/lookup-mgr-role`
|
This example shows permissions related parameters. Full examples of the command to execute reside in the documents that have instructions about each template.
|
This user and role can now be used to create and make any updates to the stack, including deleting the stack if necessary.
-
access key ID and secret access key for user to add to their
.aws/credentialsfile -
Role ARN to use as
--role-arnwhen executing commands to run templates (e.g.arn:aws:iam::<your_account_id>:role/lookup-mgr-role)