Skip to content

Instantly share code, notes, and snippets.

@ogrodnek

ogrodnek/packer-permissions.json

Created September 19, 2016 17:25
Show Gist options
  • Save ogrodnek/00419e085d2d915b262e7f1fe42626d0 to your computer and use it in GitHub Desktop.
Save ogrodnek/00419e085d2d915b262e7f1fe42626d0 to your computer and use it in GitHub Desktop.
Download ZIP
packer IAM permissions
Raw
packer-permissions.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "NonResourceBasedWritePermissions",
"Action": [
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeypair",
"ec2:DeleteSnapshot",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RegisterImage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::$ACCOUNT_ID:role/packer-inflight-role"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:$REGION:$ACCOUNT_ID:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::$ACCOUNT_ID:instance-profile/packer-inflight-role"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:$REGION:$ACCOUNT_ID:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::$ACCOUNT_ID:instance-profile/packer-inflight-role"
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:$REGION:$ACCOUNT_ID:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:$REGION:$ACCOUNT_ID:vpc/$VPC_ID"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:$REGION:$ACCOUNT_ID:volume/*",
"arn:aws:ec2:$REGION::image/*",
"arn:aws:ec2:$REGION::snapshot/*",
"arn:aws:ec2:$REGION:$ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:$REGION:$ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:$REGION:$ACCOUNT_ID:security-group/*",
"arn:aws:ec2:$REGION:$ACCOUNT_ID:subnet/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:$REGION:$ACCOUNT_ID:vpc/$VPC_ID"
}
}
}
]
}
@DaveB93
Copy link

DaveB93 commented Dec 21, 2017

Hey, this isn't currently working I needed to add ec2:DescribeSecurityGroups ( and probably more, still getting errors ) do you happen to have an up to date version ?

@deybhayden
Copy link

I added ec2:DescribeSecurityGroups, and then made sure that the VPC condition was ec2:Vpc (V capitalized), then filled in all the $ vars for my infrastructure and the policy worked for me.

@DaveB93
Copy link

DaveB93 commented Jan 18, 2018

I needed to add "ec2:DescribeImageAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:DescribeSecurityGroups",

            "ec2:DeleteVolume",
            "ec2:DeregisterImage",
            "ec2:GetPasswordData",
            "ec2:ModifySnapshotAttribute"

@TimJDFletcher
Copy link

Forked and reworked this slightly here: https://gist.github.com/TimJDFletcher/dee9dbc51ca85cf0bba50e82090bac6b

This policy adds restictions on the size of the instances that can be started
This policy includes the additional "ec2:DescribeSecurityGroups" perms needed
Also changes vpc to Vpc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment