-
-
Save MattSurabian/5976061 to your computer and use it in GitHub Desktop.
{ | |
"Statement": [ | |
{ | |
"Sid": "PackerSecurityGroupAccess", | |
"Action": [ | |
"ec2:CreateSecurityGroup", | |
"ec2:DeleteSecurityGroup", | |
"ec2:DescribeSecurityGroups", | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:RevokeSecurityGroupIngress" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerAMIAccess", | |
"Action": [ | |
"ec2:CreateImage", | |
"ec2:RegisterImage", | |
"ec2:DeregisterImage", | |
"ec2:DescribeImages" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerSnapshotAccess", | |
"Action": [ | |
"ec2:CreateSnapshot", | |
"ec2:DeleteSnaphot", | |
"ec2:DescribeSnapshots" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerInstanceAccess", | |
"Action": [ | |
"ec2:RunInstances", | |
"ec2:StartInstances", | |
"ec2:StopInstances", | |
"ec2:RebootInstances", | |
"ec2:TerminateInstances", | |
"ec2:DescribeInstances", | |
"ec2:CreateTags" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerKeyPairAccess", | |
"Action": [ | |
"ec2:CreateKeyPair", | |
"ec2:DeleteKeyPair", | |
"ec2:DescribeKeyPairs" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerS3Access", | |
"Action": [ | |
"s3:Get*", | |
"s3:List*", | |
"s3:PutObject*", | |
"s3:DeleteObject*" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerS3BucketAccess", | |
"Action": [ | |
"s3:ListAllMyBuckets", | |
"s3:CreateBucket" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
} | |
] | |
} |
Definitely! Also added a link and note about AWS Resource level permissions in the description, it's unfortunate there isn't an inline comment syntax for these policies, I wanted to put a note in each Resource block.
A slightly modified version of my own (Volumes added, S3 removed): https://github.com/evgeny-goldin/playbooks/blob/master/packer/packer-iam.json
Missing ec2:ModifyInstanceAttribute
, which causes Packer to fail when enabling Enhanced Networking.
Missing ec2:DescribeSubnets
, needed for looking up Availability Zone when using a VPC subnet.
If you are creating a Windows image, you will also need ec2:GetPasswordData
.
Since packer supports spot instance now, you can add existing AWS role AmazonEC2SpotFleetRole
and permission ec2:CancelSpotInstanceRequests
to allow packer to use spot instance to build the AMI image.
There's a typo on line 34 - Snaphot instead of Snapshot
The new resource-level permissions for EC2 might allow even stricter policies http://aws.typepad.com/aws/2013/07/resource-permissions-for-ec2-and-rds-resources.html
Thanks for sharing your policies!