Creating AWS Identity and Access Management (IAM) Policies

In AWS, IAM files are used to create policies that control access to resources in a VPC. IAM roles allow EC2 instances to make API requests without the need to use or distribute AWS credentials (accessKey and secretAccessKey).

For more information about IAM, see the following topics in the AWS documentation:

For an introduction to IAM, see AWS Identity and Access Management User Guide.
For instructions on how to create an IAM role, see Creating a Role to Delegate Permissions to an AWS Service.
For information on using IAM policies to manage access to Amazon RDS resources, see Using Identity-Based Policies (IAM Policies) for Amazon RDS.
For information on constructing Amazon Resource Names (ARNs) for Amazon RDS resources, see Working with Amazon Resource Names (ARNs) in Amazon RDS.

Use the AWS Policy Generator to create the IAM file, keeping in mind the following requirements:

For EC2, Altus Director requires permissions for the following methods:
- CreateTags
- DescribeAvailabilityZones
- DescribeImages
- DescribeInstanceStatus
- DescribeInstances
- DescribeKeyPairs
- DescribePlacementGroups
- DescribeRegions
- DescribeSecurityGroups
- DescribeNetworkAcls
- DescribeSubnets
- DescribeInstanceAttribute
- RunInstances
- TerminateInstances
To use SSH host key retrieval type with the PROVIDER option, the following additional EC2 permission is required:
- GetConsoleOutput
For more information, see SSH Host Key Retrieval and Verification.
To use EBS volumes, the following additional EC2 permissions are required:
- CreateVolume
- DescribeVolumes
- AttachVolume
- DeleteVolume
- ModifyInstanceAttribute
To use the importKeyPairIfMissing property, Altus Director requires the following EC2 permission:
- ImportKeyPair
To use spot instances, the following additional EC2 permissions are required:
- RequestSpotInstances
- CancelSpotInstanceRequests
- DescribeSpotInstanceRequests
When working with encrypted EBS volumes (including AMIs with encrypted volumes) that use a custom key stored in KMS, Altus Director also requires the following KMS permissions:
- DescribeKey
- CreateGrant
- ReEncrypt
- GenerateDataKey
To validate the templates used for EC2 instance creation, Altus Director requires permissions for the following IAM method:
- GetInstanceProfile
To create instances with instance profiles, Altus Director requires permissions for the following IAM method:
- PassRole
To create RDS database servers for persistence on demand, Altus Director requires permissions for the following methods:
- CreateDBInstance
- DeleteDBInstance
- DescribeDBInstances
- DescribeDBEngineVersions
- DescribeDBSubnetGroups
To use Auto Scaling groups, Altus Director requires permissions for the following methods:
- CreateAutoScalingGroup
- DeleteAutoScalingGroup
- DescribeAutoScalingGroups
- DescribeAutoScalingInstances
- DetachInstances
- SuspendProcesses
- TerminateInstanceInAutoScalingGroup
- UpdateAutoScalingGroup

Example IAM Policy

The following example IAM policy shows the format to use with Altus Director. Your Amazon Resource Name (ARN) will be different. For more information on ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS documentation.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "directorEc2",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeSubnets",
                "ec2:DescribeInstanceAttribute",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:GetConsoleOutput",
                "ec2:CreateVolume",
                "ec2:DescribeVolumes",
                "ec2:AttachVolume",
                "ec2:DeleteVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ImportKeyPair",
                "ec2:RequestSpotInstances",
                "ec2:CancelSpotInstanceRequests",
                "ec2:DescribeSpotInstanceRequests"
            ],
            "Resource": "*"
        },
        {
            "Sid": "directorKms",
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:CreateGrant",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "directorIam",
            "Effect": "Allow",
            "Action": [
                "iam:GetInstanceProfile",
                "iam:PassRole"
            ],
            "Resource": "*"
        },
        {
            "Sid": "directorRds",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBInstance",
                "rds:DeleteDBInstance",
                "rds:DescribeDBInstances",
                "rds:DescribeDBEngineVersions",
                "rds:DescribeDBSubnetGroups"
            ],
            "Resource": "*"
        }
    ]
}

Categories: AWS | Altus Director | Configuring | All Categories

SSH Keys in Altus Director

Using Custom Repositories with Cloudera Manager and CDH