AWS – Allow User to Start and Stop EC2 Instance

amazon ec2amazon-iamamazon-web-services

I'm in trouble creating an IAM policy to an specific user to grant privileges to start and stop EC2 instance.

I had tried several ways but I cant find the errors.

This is my policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1468227127000",
        "Effect": "Allow",
        "Action": [
            "ec2:DescribeInstances"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Sid": "Stmt1468227157000",
        "Effect": "Allow",
        "Action": [
            "ec2:StartInstances",
            "ec2:StopInstances"
        ],
        "Resource": [
            "arn:aws:ec2:region:user:instance/instance-ID"
        ]
    }
]

}

As I have read, I am unabled to describe only one instance, in the first part I describe all my ec2 instances and it works, but in the second part I allow the user to start and stop one instance, but I can't start it.

Best Answer

This one works well for me. Pls note I added some quite useful (from my standpoint) actions, of course feel free to remove them if not needed:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:361111111111:instance/i-0e411111111111111"
        }
    ]
}

Here 361111111111 is the Account ID as you see in the account Settings, i-0e411111111111111 is exactly the instance ID, should start with i-, can be found at the left topmost row at the description tab of the instance.

Please note the region is without availability zone.

For curious people: I tried to limit ec2:Describe* actions to arn:aws:ec2:us-east-1:361111111111:instance/*, but this does not work. I removed the rightmost parts until it works, and turns out that "*" works only.

Related Solutions

Amazon Web Services – How to use IAM to restrict a single user to managing a single EC2 instance

Actually, EC2 Instances do have a ARN. Every resource within EC2 has a ARN. An example of an instance ARN is as follows:

arn:aws:ec2:region:account:instance/instance-id

You can give a specific user access to a specific instance ID. You can include Actions the user is allowed to run.

See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html#ec2-supported-iam-actions-resources for resources and actions, as well as conditions.

What permissions in IAM do i need to start EC2 instances with chef knife

Q1: I had to debug knife-ec2 gem in order to find out the minimal IAM permissions required to start an EC2 instance. Here is the minimal policy:

{
  "Statement": [
    {
      "Sid": "Stmt123",
      "Action": [
        "ec2:RunInstances",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeImages",
        "ec2:CreateTags",
        "ec2:DescribeTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Please note the Sid should be unique.

Q2: My knowledge of Ruby is quite limited so possibly there is not convenient way for debugging. Personally I used binding.pry as a debugger. Please refer to the following article for more info.

Best Answer

Related Solutions

Amazon Web Services – How to use IAM to restrict a single user to managing a single EC2 instance

What permissions in IAM do i need to start EC2 instances with chef knife

Related Topic