Skip to content

Instantly share code, notes, and snippets.

@TimJDFletcher

TimJDFletcher/packer-permissions.json

Forked from ogrodnek/packer-permissions.json
Last active December 9, 2019 21:23
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save TimJDFletcher/dee9dbc51ca85cf0bba50e82090bac6b to your computer and use it in GitHub Desktop.
Save TimJDFletcher/dee9dbc51ca85cf0bba50e82090bac6b to your computer and use it in GitHub Desktop.
Download ZIP
packer IAM permissions
Raw
packer-permissions.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "NonResourceBasedWritePermissions",
"Action": [
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeypair",
"ec2:DeleteSnapshot",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RegisterImage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::_ACCOUNT_ID_:role/_ROLE_NAME_"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
}
}
},
{
"Sid": "EC2LimitSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro"
]
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:volume/*",
"arn:aws:ec2:_REGION_::image/*",
"arn:aws:ec2:_REGION_::snapshot/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:network-interface/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:key-pair/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:security-group/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeSecurityGroups",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
}
}
}
]
}
@tdmalone
Copy link

Thanks for posting this!

One thing - would not EC2RunInstancesSubnet be overridden by RemainingRunInstancePermissions, given you're allowing all subnets in the latter? (i.e. even though you're limiting the VPC in the former, the latter leaves it open to all VPCs)

@tdmalone
Copy link

Also although DescribeSecurityGroups is limited to the VPC in EC2VpcNonresourceSpecificActions, it's also open to all in NonResourceBasedReadOnlyPermissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment