Creating AWS Identity and Access Management (IAM) Policies
In AWS, IAM files are used to create policies that control access to resources in a VPC. IAM roles allow EC2 instances to make API requests without the need to use or distribute AWS credentials (accessKey and secretAccessKey). For more information about IAM, see the AWS Identity and Access Management User Guide in the AWS documentation. For instructions on how to create an IAM role, see Creating a Role to Delegate Permissions to an AWS Service in the AWS documentation.
- For EC2, Cloudera Director requires permissions for the following methods:
- CreateTags
- DescribeAvailabilityZones
- DescribeImages
- DescribeInstanceStatus
- DescribeInstances
- DescribeKeyPairs
- DescribePlacementGroups
- DescribeRegions
- DescribeSecurityGroups
- DescribeNetworkAcls
- DescribeSubnets
- DescribeInstanceAttribute
- RunInstances
- TerminateInstances
- To use EBS volumes, the following additional EC2 permissions are required:
- CreateVolume
- DescribeVolumes
- AttachVolume
- DeleteVolume
- ModifyInstanceAttribute
- When working with EBS volumes, in order to use a custom key stored in KMS for EBS encryption, Cloudera Director also requires the following KMS permission:
- DescribeKey
- To use the importKeyPairIfMissing property, Cloudera Director requires the following EC2 permission:
- ImportKeyPair
- To validate the templates used for EC2 instance creation, Cloudera Director requires permissions for the following IAM methods:
- GetInstanceProfile
- PassRole
- To create RDS database servers for persistence on demand, Cloudera Director requires permissions for the following methods:
- CreateDBInstance
- DeleteDBInstance
- DescribeDBInstances
- DescribeDBEngineVersions
- DescribeDBSubnetGroups
- With Cloudera Director 1.5 and higher, Cloudera Director requires permissions for the following method:
- DescribeDBSecurityGroups
This permission is required because, beginning with version 1.5, Cloudera Director includes early validation of RDS credentials at the time of creating or updating an environment, whether or not RDS database servers will be used.
Example IAM Policy
{ "Statement": [ { "Sid": "directorEc2", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribePlacementGroups", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls", "ec2:DescribeSubnets", "ec2:DescribeInstanceAttribute", "ec2:RunInstances", "ec2:TerminateInstances", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:ModifyInstanceAttribute", "ec2:ImportKeyPair" ], "Resource": "*" }, { "Sid": "directorKms", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "directorIam", "Effect": "Allow", "Action": [ "iam:GetInstanceProfile", "iam:PassRole" ], "Resource": "*" }, { "Sid": "directorRds", "Effect": "Allow", "Action": [ "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DescribeDBInstances", "rds:DescribeDBEngineVersions", "rds:DescribeDBSecurityGroups" ], "Resource": "*" }, { "Sid": "directorSts", "Action": [ "sts:DecodeAuthorizationMessage" ], "Effect": "Allow", "Resource": "*" } ] }