Missing AIM permissions needed to run test kitchen in documentation.
voroniys opened this issue · 3 comments
voroniys commented
It would be really great if you'll include in documentatation the set of AIM permissions required to run the kitchen instance.
cheeseplus commented
If you could elaborate a bit that would be helpful but I think we've got that covered by https://github.com/test-kitchen/kitchen-ec2#iam_profile_name. If not please add more detail.
voroniys commented
Hi,
I mean the minimum AIM role permissions needed to create and delete a kitchen instance. ATM I'm using the following one:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BastionPolicy",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RunInstances",
"ec2:RequestSpotInstances",
"ec2:RebootInstances",
"ec2:ModifyVolume",
"ec2:ImportKeyPair",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateAddress",
"ec2:DetachNetworkInterface",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"ec2:DescribeSubnets",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRegions",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeImages",
"ec2:DescribeAvailabilityZones",
"ec2:DeleteTags",
"ec2:DeleteNetworkInterface",
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:CreateNetworkInterface",
"ec2:CancelSpotInstanceRequests",
"ec2:AttachVolume",
"ec2:AssociateIamInstanceProfile",
"ec2:AssociateAddress",
"ec2:AssignPrivateIpAddresses"
],
"Resource": "*"
},
{
"Sid": "BastionIAMPolicy",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/*"
}
]
}
but I'm not sure this is a good one or better say I'm sure it has too much permissions in it.
cheeseplus commented
and
Each denotes IAM permissions somewhat, if you'd like to have this in documentation then a PR woulds be great.