-
-
Save MattSurabian/5976061 to your computer and use it in GitHub Desktop.
| { | |
| "Statement": [ | |
| { | |
| "Sid": "PackerSecurityGroupAccess", | |
| "Action": [ | |
| "ec2:CreateSecurityGroup", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:RevokeSecurityGroupIngress" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "PackerAMIAccess", | |
| "Action": [ | |
| "ec2:CreateImage", | |
| "ec2:RegisterImage", | |
| "ec2:DeregisterImage", | |
| "ec2:DescribeImages" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "PackerSnapshotAccess", | |
| "Action": [ | |
| "ec2:CreateSnapshot", | |
| "ec2:DeleteSnaphot", | |
| "ec2:DescribeSnapshots" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "PackerInstanceAccess", | |
| "Action": [ | |
| "ec2:RunInstances", | |
| "ec2:StartInstances", | |
| "ec2:StopInstances", | |
| "ec2:RebootInstances", | |
| "ec2:TerminateInstances", | |
| "ec2:DescribeInstances", | |
| "ec2:CreateTags" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "PackerKeyPairAccess", | |
| "Action": [ | |
| "ec2:CreateKeyPair", | |
| "ec2:DeleteKeyPair", | |
| "ec2:DescribeKeyPairs" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "PackerS3Access", | |
| "Action": [ | |
| "s3:Get*", | |
| "s3:List*", | |
| "s3:PutObject*", | |
| "s3:DeleteObject*" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "PackerS3BucketAccess", | |
| "Action": [ | |
| "s3:ListAllMyBuckets", | |
| "s3:CreateBucket" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "*" | |
| ] | |
| } | |
| ] | |
| } |
Definitely! Also added a link and note about AWS Resource level permissions in the description, it's unfortunate there isn't an inline comment syntax for these policies, I wanted to put a note in each Resource block.
A slightly modified version of my own (Volumes added, S3 removed): https://github.com/evgeny-goldin/playbooks/blob/master/packer/packer-iam.json
Missing ec2:ModifyInstanceAttribute, which causes Packer to fail when enabling Enhanced Networking.
Missing ec2:DescribeSubnets, needed for looking up Availability Zone when using a VPC subnet.
If you are creating a Windows image, you will also need ec2:GetPasswordData.
Since packer supports spot instance now, you can add existing AWS role AmazonEC2SpotFleetRole and permission ec2:CancelSpotInstanceRequests to allow packer to use spot instance to build the AMI image.
There's a typo on line 34 - Snaphot instead of Snapshot
The new resource-level permissions for EC2 might allow even stricter policies http://aws.typepad.com/aws/2013/07/resource-permissions-for-ec2-and-rds-resources.html
Thanks for sharing your policies!