packer IAM permissions

packer-permissions.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "NonResourceBasedReadOnlyPermissions",
            "Action": [
              "ec2:DescribeSubnets",
              "ec2:DescribeSnapshots",
              "ec2:DescribeImages",
              "ec2:DescribeVolumes",
              "ec2:DescribeInstances"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "NonResourceBasedWritePermissions",
            "Action": [
              "ec2:CopyImage",
              "ec2:CreateImage",
              "ec2:CreateKeyPair",
              "ec2:CreateSecurityGroup",
              "ec2:CreateSnapshot",
              "ec2:CreateTags",
              "ec2:CreateVolume",
              "ec2:DeleteKeypair",
              "ec2:DeleteSnapshot",
              "ec2:ModifyImageAttribute",
              "ec2:ModifyInstanceAttribute",
              "ec2:RegisterImage"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "IAMPassroleToInstance",
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::$ACCOUNT_ID:role/packer-inflight-role"
        },
        {
            "Sid": "AllowInstanceActions",
            "Effect": "Allow",
            "Action": [
              "ec2:AttachVolume",
              "ec2:DetachVolume",
              "ec2:StopInstances",
              "ec2:TerminateInstances"

            ],
            "Resource": "arn:aws:ec2:$REGION:$ACCOUNT_ID:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::$ACCOUNT_ID:instance-profile/packer-inflight-role"
                }
            }
        },
        {
            "Sid": "EC2RunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:$REGION:$ACCOUNT_ID:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceProfile": "arn:aws:iam::$ACCOUNT_ID:instance-profile/packer-inflight-role"
                }
            }
        },
        {
            "Sid": "EC2RunInstancesSubnet",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:$REGION:$ACCOUNT_ID:subnet/*",
            "Condition": {
                "StringEquals": {
                    "ec2:vpc": "arn:aws:ec2:$REGION:$ACCOUNT_ID:vpc/$VPC_ID"
                }
            }
        },
        {
            "Sid": "RemainingRunInstancePermissions",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
              "arn:aws:ec2:$REGION:$ACCOUNT_ID:volume/*",
              "arn:aws:ec2:$REGION::image/*",
              "arn:aws:ec2:$REGION::snapshot/*",
              "arn:aws:ec2:$REGION:$ACCOUNT_ID:network-interface/*",
              "arn:aws:ec2:$REGION:$ACCOUNT_ID:key-pair/*",
              "arn:aws:ec2:$REGION:$ACCOUNT_ID:security-group/*",
              "arn:aws:ec2:$REGION:$ACCOUNT_ID:subnet/*"
            ]
        },
        {
            "Sid": "EC2VpcNonresourceSpecificActions",
            "Effect": "Allow",
            "Action": [
              "ec2:AuthorizeSecurityGroupIngress",
              "ec2:DeleteSecurityGroup"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:vpc": "arn:aws:ec2:$REGION:$ACCOUNT_ID:vpc/$VPC_ID"
                }
            }
        }
    ]
}

From this thread on packer#1928.

Merging the AWS How to Help Lock Down a User's Amazon EC2 Capabilities to a Single VPC, with the required Docker IAM permissions doc.

The idea is to create an empty IAM instance profile (here packer-inflight-role), and have packer use that for the instance it starts (using iam_instance_profile in your packer file), and restrict as much as we can to that role.

Note that a lot of ec2 IAM actions are left unrestricted (CreatedSecurityGroup, DeleteKeypair), as not all ec2 actions allow restrictions (see: Unsupported Resource Level Permissions). I've tried to group these in NonResourceBasedReadOnlyPermissions and NonResourceBasedWritePermissions Sids.

Replace $REGION, $ACCOUNT_ID, and $VPC_ID with your account info and create an empty packer-inflight-role role/instance profile.

Hey, this isn't currently working I needed to add ec2:DescribeSecurityGroups ( and probably more, still getting errors ) do you happen to have an up to date version ?

I added ec2:DescribeSecurityGroups, and then made sure that the VPC condition was ec2:Vpc (V capitalized), then filled in all the $ vars for my infrastructure and the policy worked for me.

I needed to add "ec2:DescribeImageAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:DescribeSecurityGroups",

            "ec2:DeleteVolume",
            "ec2:DeregisterImage",
            "ec2:GetPasswordData",
            "ec2:ModifySnapshotAttribute"

Forked and reworked this slightly here: https://gist.github.com/TimJDFletcher/dee9dbc51ca85cf0bba50e82090bac6b

This policy adds restictions on the size of the instances that can be started
This policy includes the additional "ec2:DescribeSecurityGroups" perms needed
Also changes vpc to Vpc