Technical Blog Post
Abstract
AWS Minimum Permissions
Body
If you are using AWS to provision host via IAM user, this post would help you define the minimum permissions you need to the user to provision and terminate hosts through AWS console.
Please refer to the following links regards IAM users and adding permissions
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html
For OnDemand instances
ec2:DescribeInstances: to check status of instances
ec2:TerminateInstances: to remove instances
ec2:RunInstances: to request new instances
ec2:DescribeVpcs: to select a VPC
ec2:DescribeSubnets: to select a subnet
ec2:DescribeImages: to select an image
ec2:DescribeKeyPairs: to select a Key Pair
For Spot Fleets
ec2:RequestSpotFleet: Used by AWS GUI and HostFactory service to create a spot fleet
ec2:CancelSpotFleetRequests: to cancel a fleet request
ec2:DescribeSpotFleetRequests: to check for fleet status
ec2:DescribeSpotFleetInstances: to check instances status under a specific fleet
ec2:DescribeSpotInstanceRequests: to check the status of a specific spot instance
ec2:DescribeInstances: to check status of instances
ec2:DescribeSpotInstanceRequests: being called during removing instances
ec2:TerminateInstances: to remove instances
ec2:DescribeAccountAttributes: to select VPC
ec2:DescribeVpcs: to select a VPC
ec2:DescribeSubnets: to select a subnet
ec2:DescribeImages: to select an image
ec2:DescribeKeyPairs: to select a Key Pair
ec2:DescribeAvailabilityZones : to select availability zone
If you are using a launch template for your spot fleets, then you also need the following permissions
ec2:GetLaunchTemplateData: to read the launch template data
ec2:DescribeLaunchTemplate: to check for launch template
ec2:CreateLaunchTemplate:
ec2:DeleteLaunchTemplate: to clean launch template
More permissions
IAM role permissions
If you are using IAM role, you need to add the following permissions to access the list of IAM roles to choose from and to pass the chosen IAM role to provisioned instances
iam:ListInstanceProfiles
iam:ListRoles
iam:PassRole
Tag permission
If you add tags to your instances or spot fleets, you need to add this permission
ec2:CreateTags
You scan add those permissions to verify template values through AWS GUI
ec2:DescribeInstanceStatus: to show instances status
ec2:DescribeVolumes: to show EBS volume.
ec2:DescribeTags: to show tags
UID
ibm16163869