Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing AIM permissions needed to run test kitchen in documentation. #457

Open
voroniys opened this issue May 13, 2019 · 3 comments
Open

Missing AIM permissions needed to run test kitchen in documentation. #457

voroniys opened this issue May 13, 2019 · 3 comments
Labels
Documentation

Comments

@voroniys
Copy link

It would be really great if you'll include in documentatation the set of AIM permissions required to run the kitchen instance.
@cheeseplus
Copy link
Contributor

If you could elaborate a bit that would be helpful but I think we've got that covered by https://github.com/test-kitchen/kitchen-ec2#iam_profile_name. If not please add more detail.

@voroniys
Copy link
Author

Hi,
I mean the minimum AIM role permissions needed to create and delete a kitchen instance. ATM I'm using the following one:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BastionPolicy",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances",
                "ec2:RunInstances",
                "ec2:RequestSpotInstances",
                "ec2:RebootInstances",
                "ec2:ModifyVolume",
                "ec2:ImportKeyPair",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:DisassociateAddress",
                "ec2:DetachNetworkInterface",
                "ec2:DescribeVolumes",
                "ec2:DescribeTags",
                "ec2:DescribeSubnets",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeImages",
                "ec2:DescribeAvailabilityZones",
                "ec2:DeleteTags",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateVolume",
                "ec2:CreateTags",
                "ec2:CreateNetworkInterface",
                "ec2:CancelSpotInstanceRequests",
                "ec2:AttachVolume",
                "ec2:AssociateIamInstanceProfile",
                "ec2:AssociateAddress",
                "ec2:AssignPrivateIpAddresses"
            ],
            "Resource": "*"
        },
        {
            "Sid": "BastionIAMPolicy",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}

but I'm not sure this is a good one or better say I'm sure it has too much permissions in it.

@cheeseplus
Copy link
Contributor

https://github.com/test-kitchen/kitchen-ec2/blob/f0484917b390d188288de3a6cc7b30d97d6b33af/README.md#requirements

and

#162 (comment)

Each denotes IAM permissions somewhat, if you'd like to have this in documentation then a PR woulds be great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cheeseplus @voroniys