Skip to content

Instantly share code, notes, and snippets.

@MattSurabian
Last active May 27, 2022 21:46
Show Gist options
  • Save MattSurabian/5976061 to your computer and use it in GitHub Desktop.
Save MattSurabian/5976061 to your computer and use it in GitHub Desktop.
Minimum IAM policy required by AWS for Packer to do its thing. https://github.com/mitchellh/packer Permissions are broken out by API functionality and a resource array has been defined with a wild card for each group. For tighter security resource level permissions can be applied per this documentation: http://aws.typepad.com/aws/2013/07/resourc…
{
"Statement": [
{
"Sid": "PackerSecurityGroupAccess",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "PackerAMIAccess",
"Action": [
"ec2:CreateImage",
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:DescribeImages"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "PackerSnapshotAccess",
"Action": [
"ec2:CreateSnapshot",
"ec2:DeleteSnaphot",
"ec2:DescribeSnapshots"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "PackerInstanceAccess",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstances",
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "PackerKeyPairAccess",
"Action": [
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "PackerS3Access",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject*",
"s3:DeleteObject*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "PackerS3BucketAccess",
"Action": [
"s3:ListAllMyBuckets",
"s3:CreateBucket"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
@LarsFronius
Copy link

The new resource-level permissions for EC2 might allow even stricter policies http://aws.typepad.com/aws/2013/07/resource-permissions-for-ec2-and-rds-resources.html

Thanks for sharing your policies!

@MattSurabian
Copy link
Author

Definitely! Also added a link and note about AWS Resource level permissions in the description, it's unfortunate there isn't an inline comment syntax for these policies, I wanted to put a note in each Resource block.

@evgeny-goldin
Copy link

A slightly modified version of my own (Volumes added, S3 removed): https://github.com/evgeny-goldin/playbooks/blob/master/packer/packer-iam.json

@rafaelmagu
Copy link

Missing ec2:ModifyInstanceAttribute, which causes Packer to fail when enabling Enhanced Networking.

@chalfant
Copy link

chalfant commented Jul 5, 2016

Missing ec2:DescribeSubnets, needed for looking up Availability Zone when using a VPC subnet.
If you are creating a Windows image, you will also need ec2:GetPasswordData.

@ozbillwang
Copy link

ozbillwang commented Aug 1, 2017

Since packer supports spot instance now, you can add existing AWS role AmazonEC2SpotFleetRole and permission ec2:CancelSpotInstanceRequests to allow packer to use spot instance to build the AMI image.

@alexgottschalkmedal
Copy link

There's a typo on line 34 - Snaphot instead of Snapshot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment