{ | |
"Statement": [ | |
{ | |
"Sid": "PackerSecurityGroupAccess", | |
"Action": [ | |
"ec2:CreateSecurityGroup", | |
"ec2:DeleteSecurityGroup", | |
"ec2:DescribeSecurityGroups", | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:RevokeSecurityGroupIngress" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerAMIAccess", | |
"Action": [ | |
"ec2:CreateImage", | |
"ec2:RegisterImage", | |
"ec2:DeregisterImage", | |
"ec2:DescribeImages" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerSnapshotAccess", | |
"Action": [ | |
"ec2:CreateSnapshot", | |
"ec2:DeleteSnaphot", | |
"ec2:DescribeSnapshots" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerInstanceAccess", | |
"Action": [ | |
"ec2:RunInstances", | |
"ec2:StartInstances", | |
"ec2:StopInstances", | |
"ec2:RebootInstances", | |
"ec2:TerminateInstances", | |
"ec2:DescribeInstances", | |
"ec2:CreateTags" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerKeyPairAccess", | |
"Action": [ | |
"ec2:CreateKeyPair", | |
"ec2:DeleteKeyPair", | |
"ec2:DescribeKeyPairs" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerS3Access", | |
"Action": [ | |
"s3:Get*", | |
"s3:List*", | |
"s3:PutObject*", | |
"s3:DeleteObject*" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "PackerS3BucketAccess", | |
"Action": [ | |
"s3:ListAllMyBuckets", | |
"s3:CreateBucket" | |
], | |
"Effect": "Allow", | |
"Resource": [ | |
"*" | |
] | |
} | |
] | |
} |
This comment has been minimized.
This comment has been minimized.
Definitely! Also added a link and note about AWS Resource level permissions in the description, it's unfortunate there isn't an inline comment syntax for these policies, I wanted to put a note in each Resource block. |
This comment has been minimized.
This comment has been minimized.
A slightly modified version of my own (Volumes added, S3 removed): https://github.com/evgeny-goldin/playbooks/blob/master/packer/packer-iam.json |
This comment has been minimized.
This comment has been minimized.
Missing |
This comment has been minimized.
This comment has been minimized.
Missing |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Since packer supports spot instance now, you can add existing AWS role |
This comment has been minimized.
This comment has been minimized.
There's a typo on line 34 - Snaphot instead of Snapshot |
This comment has been minimized.
The new resource-level permissions for EC2 might allow even stricter policies http://aws.typepad.com/aws/2013/07/resource-permissions-for-ec2-and-rds-resources.html
Thanks for sharing your policies!