All geek questions in one place

AWS IAM policy to provide salt cloud user

When creating an IAM user for salt clouds, what are the minimum rights to execute it so that it can perform its work, following the principle of least privilege ?

I just need to create EC2 instances using the map file: however, I don’t know enough salt clouds to make sure the actual actions it performs.

I would rather use a predefined policy if one exists.

+4
source share
1 answer

I was curious about this, so I looked at the source of the salt cloud (salt / cloud / clouds / ec2.py). Interestingly, they do not use the boto library to make calls in AWS, instead of processing the requests themselves, and how they did it makes it very easy to extract actions for which you need to be able to skip.

This oneliner pulls out all the actions

grep "'Action':" cloud/clouds/ec2.py | awk '{print $4;}' | sed "s/[},']//g" | sort | uniq

As you can see, it is a pretty substantial subset of all available Ec2 permissions.

AllocateAddress AssociateAddress AttachVolume CancelSpotInstanceRequests CopySnapshot CreateKeyPair CreateSnapshot CreateTags CreateVolume DeleteKeyPair DeleteSnapshot DeleteTags DeleteVolume DescribeAvailabilityZones DescribeImages DescribeInstanceAttribute DescribeInstanceTypes DescribeInstances DescribeKeyPairs DescribeRegions DescribeSnapshots DescribeSpotInstanceRequests DescribeSubnets DescribeTags DescribeVolumes DescribeZones DetachVolume GetConsoleOutput GetPasswordData ImportKeyPair ModifyInstanceAttribute ModifyNetworkInterfaceAttribute RebootInstance RebootInstances RegisterImage RequestSpotInstances RunInstances StartInstance StartInstances StopInstances TerminateInstances

Naturally, you could use salt to create an IAM profile for you :)

+3
source

Source: https://habr.com/ru/post/1605743/

More articles:


All Articles