2 - AWS IAM Policies
CloudSense needs policies on an AWS user. We can add these policies through the IAM dashboard. This part requires a user with enough permissions to create users and policies. Contact your AWS administrator.
First, navigate to the IAM Dashboard then go “Policies” > “Create Policy”.
Go into the “JSON” editor tab and enter the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricData",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"elasticfilesystem:Backup",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:CreateReplicationConfiguration",
"elasticfilesystem:CreateTags",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteFileSystemPolicy",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DeleteReplicationConfiguration",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeAccountPreferences",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeReplicationConfigurations",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:ModifyMountTargetSecurityGroups",
"elasticfilesystem:PutAccountPreferences",
"elasticfilesystem:PutBackupPolicy",
"elasticfilesystem:PutFileSystemPolicy",
"elasticfilesystem:PutLifecycleConfiguration",
"elasticfilesystem:Restore",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"elasticfilesystem:UpdateFileSystem",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:ListRoles",
"iam:PassRole",
"iam:RemoveRoleFromInstanceProfile",
"kms:DescribeKey",
"kms:ListAliases",
"route53resolver:*",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
},
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"ec2scheduled.amazonaws.com",
"elasticloadbalancing.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"transitgateway.amazonaws.com",
"eks.amazonaws.com",
"eks-nodegroup.amazonaws.com"
]
}
}
}
]
}Go to the tag screen and add any desired tags.
Go to the review screen and enter the name “CloudSense” and, optionally, a description.
Now that the policy is made, we need to attach the policy to a user. Go to Users and search for the appropriate user.
Now, “Add permissions” > “Attach existing policies directly” > Search “CloudSense” > Checkbox “CloudSense” > “Next: Review” > “Add permissions”
Congratulations! You now have all the permissions to deploy an AWS cluster through CloudSense.
Next steps: Use your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY inside CloudSense to deploy an AWS cluster.
Last updated