All geek questions in one place

Possible minimum IAM policy for dynamic EC2 resources

Has anyone found out the minimum IAM policies required to run the EC2 dynamic inventory script ( ec2.py ) on an accessible through the IAM role?

So far, I have not seen a specific link in this matter, except for the credentials for the boto library in the official documentation on features, but in production environments I rarely use key pairs to access AWS from EC2, instead I took part in using the role IAM for this scenario.

I tried policies that allow ec2:Describe* actions, but for the script it doesn't seem sufficient, since it always exits with Unauthorized operation .

Could you help me?

+6
source share
2 answers

I just created a demo, created a new role and used this new policy, and then created a new instance that used this new role.

Demo policy:

 { "Version": "2012-10-17", "Statement": [ { "Sid": "Demo201505282045", "Effect": "Allow", "Action": [ "ec2:Describe*", "route53:ListHostedZones", "route53:ListResourceRecordSets" ], "Resource": "*" } ] }

I had to add route53 since I am using the route53 parameter ( route53 = true in ec2.ini), but other than that it worked fine.

If you still have problems, try running ec2.py from the command line ( ./ec2.py ), as they usually give reasonable error messages when starting directly.

+4
source

The script also looks at RDS and elasticity. You can disable them in ec2.ini, but if you do not, the following policy will be sufficient to run the dynamic inventory.

  {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "Demo201505282045",
             "Effect": "Allow",
             "Action": [
                 "ec2: Describe *",
                 "route53: ListHostedZones",
                 "route53: ListResourceRecordSets",
                 "rds: Describe *",
                 "elasticache: Describe *"
             ],
             "Resource": "*"
         }
     ]
 }
+7
source

Source: https://habr.com/ru/post/988122/

More articles:


All Articles