Document permissions to deploy single-master
The AWS user invoking single-master creation or deletion needs to have
the relevant permissions to action on AWS services involved by the
recipe.
Attach the relevant permission policy document and document how to set
it up in AWS.
Feature: Issue 13671
Change-Id: I675ac251d47f7a104826a254f16f820e672b687b
diff --git a/single-master/README.md b/single-master/README.md
index d47f899..422513d 100644
--- a/single-master/README.md
+++ b/single-master/README.md
@@ -59,7 +59,11 @@
### 0 - Prerequisites
-Follow the steps described in the [Prerequisites](../Prerequisites.md) section
+Follow the steps described in the [Prerequisites](../Prerequisites.md) section.
+
+Additionally, whilst it is possible to do so by using an admin user, consider
+limiting access only to what is required by using a dedicated role or user to do
+so.
### 1 - Configuration
@@ -124,3 +128,14 @@
### Docker
Refer to the [Docker](../Docker.md) section for information on how to setup docker or how to publish images
+
+### Permissions
+
+In order to deploy and destroy a single-master recipe the invoking user needs to
+have the relevant permissions to perform actions on AWS resources.
+
+The list of actions can be found [here](resources/permission.policy.json).
+The document can be used to create a permission policy directly in AWS.
+
+The policy then needs to be attached to the invoking user group or alternatively
+to the invoking user directly.
\ No newline at end of file
diff --git a/single-master/resources/permission.policy.json b/single-master/resources/permission.policy.json
new file mode 100644
index 0000000..b020cff
--- /dev/null
+++ b/single-master/resources/permission.policy.json
@@ -0,0 +1,131 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "Stmt1605188574000",
+ "Effect": "Allow",
+ "Action": [
+ "autoscaling:AttachLoadBalancerTargetGroups",
+ "autoscaling:CreateAutoScalingGroup",
+ "autoscaling:CreateLaunchConfiguration",
+ "autoscaling:CreateOrUpdateTags",
+ "autoscaling:DeleteAutoScalingGroup",
+ "autoscaling:DeleteLaunchConfiguration",
+ "autoscaling:DeleteTags",
+ "autoscaling:DescribeAutoScalingGroups",
+ "autoscaling:DescribeAutoScalingInstances",
+ "autoscaling:DescribeLaunchConfigurations",
+ "autoscaling:DescribeLoadBalancerTargetGroups",
+ "autoscaling:DescribeScalingActivities",
+ "autoscaling:DetachLoadBalancerTargetGroups",
+ "autoscaling:UpdateAutoScalingGroup",
+ "cloudformation:*",
+ "cloudwatch:DeleteDashboards",
+ "cloudwatch:GetDashboard",
+ "cloudwatch:ListDashboards",
+ "cloudwatch:PutDashboard",
+ "ec2:AssociateRouteTable",
+ "ec2:AttachInternetGateway",
+ "ec2:AttachVolume",
+ "ec2:AuthorizeSecurityGroupEgress",
+ "ec2:AuthorizeSecurityGroupIngress",
+ "ec2:CreateInternetGateway",
+ "ec2:CreateKeyPair",
+ "ec2:CreateRoute",
+ "ec2:CreateRouteTable",
+ "ec2:CreateSecurityGroup",
+ "ec2:CreateSubnet",
+ "ec2:CreateVolume",
+ "ec2:CreateVpc",
+ "ec2:DeleteInternetGateway",
+ "ec2:DeleteRoute",
+ "ec2:DeleteRouteTable",
+ "ec2:DeleteSecurityGroup",
+ "ec2:DeleteSubnet",
+ "ec2:DeleteVolume",
+ "ec2:DeleteVpc",
+ "ec2:DescribeAccountAttributes",
+ "ec2:DescribeAvailabilityZones",
+ "ec2:DescribeHosts",
+ "ec2:DescribeImages",
+ "ec2:DescribeInstanceAttribute",
+ "ec2:DescribeInstances",
+ "ec2:DescribeInternetGateways",
+ "ec2:DescribeKeyPairs",
+ "ec2:DescribeRouteTables",
+ "ec2:DescribeSecurityGroups",
+ "ec2:DescribeSubnets",
+ "ec2:DescribeVolumes",
+ "ec2:DescribeVpcs",
+ "ec2:DetachInternetGateway",
+ "ec2:DetachVolume",
+ "ec2:DisassociateRouteTable",
+ "ec2:ModifySubnetAttribute",
+ "ec2:ModifyVolumeAttribute",
+ "ec2:ModifyVpcAttribute",
+ "ec2:RevokeSecurityGroupEgress",
+ "ec2:RevokeSecurityGroupIngress",
+ "ecr:BatchCheckLayerAvailability",
+ "ecr:BatchGetImage",
+ "ecr:CompleteLayerUpload",
+ "ecr:DescribeImages",
+ "ecr:GetAuthorizationToken",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:InitiateLayerUpload",
+ "ecr:ListImages",
+ "ecr:PutImage",
+ "ecr:UploadLayerPart",
+ "ecs:CreateCluster",
+ "ecs:CreateService",
+ "ecs:DeleteCluster",
+ "ecs:DeleteService",
+ "ecs:DeregisterTaskDefinition",
+ "ecs:DescribeClusters",
+ "ecs:DescribeContainerInstances",
+ "ecs:DescribeServices",
+ "ecs:DescribeTaskDefinition",
+ "ecs:DescribeTasks",
+ "ecs:ListClusters",
+ "ecs:ListServices",
+ "ecs:ListTaskDefinitionFamilies",
+ "ecs:ListTaskDefinitions",
+ "ecs:ListTasks",
+ "ecs:RegisterTaskDefinition",
+ "elasticloadbalancing:*",
+ "iam:AddRoleToInstanceProfile",
+ "iam:AttachRolePolicy",
+ "iam:CreateInstanceProfile",
+ "iam:CreateRole",
+ "iam:DeleteInstanceProfile",
+ "iam:DeleteRole",
+ "iam:DeleteRolePolicy",
+ "iam:GetRole",
+ "iam:GetRolePolicy",
+ "iam:ListAttachedRolePolicies",
+ "iam:ListRolePolicies",
+ "iam:ListRoles",
+ "iam:PassRole",
+ "iam:PutRolePolicy",
+ "iam:RemoveRoleFromInstanceProfile",
+ "logs:*",
+ "route53:ChangeResourceRecordSets",
+ "route53:GetChange",
+ "route53:GetHostedZone",
+ "route53:ListHostedZones",
+ "route53:ListHostedZonesByName",
+ "route53:ListResourceRecordSets",
+ "s3:CreateBucket",
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:PutObject",
+ "ssm:DescribeParameters",
+ "ssm:GetParameter",
+ "ssm:GetParameters",
+ "ssm:PutParameter"
+ ],
+ "Resource": [
+ "*"
+ ]
+ }
+ ]
+}
\ No newline at end of file
