Required IAM permissions for ec2.requestSpotInstances

amazon ec2amazon-iam

I'm trying to set permissions on an IAM role that will submit a new spot instance request if needed. It will be used by a Lambda function.

The code does the following AWS API calls:

ec2.describeSpotInstanceRequests
ec2.requestSpotInstances
ec2.createTags

And I created for it the following policy (after trying a lot of other options…):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1437749945000",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*",
            "ec2:RequestSpotInstances",
            "ec2:RunInstances",
            "ec2:CreateTags",
            "iam:List*"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

If I add iam:* it works, but obviously I don't want to do that..

Can anyone help me guessing what permission it really needs? Does anyone know of a map between AWS API calls and all required permissions?

Best Answer

There is usually a one-to-one correspondence between ec2 API functions and the permissions. So most of what you have in your policy is fine.

You need to add the iam:PassRole permission. This is because your spot request is probably supplying an IAM role for your new EC2 Instances to run with.

The iam:PassRole permission is needed because your lambda role is potentially creating an instance with higher permissions than itself has. This could lead to dangerous security scenarios. So this extra permission is needed and usually it is restricted to a finite list of roles it can assign using the Resource property.

Related Solutions

What permissions in IAM do i need to start EC2 instances with chef knife

Q1: I had to debug knife-ec2 gem in order to find out the minimal IAM permissions required to start an EC2 instance. Here is the minimal policy:

{
  "Statement": [
    {
      "Sid": "Stmt123",
      "Action": [
        "ec2:RunInstances",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeImages",
        "ec2:CreateTags",
        "ec2:DescribeTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Please note the Sid should be unique.

Q2: My knowledge of Ruby is quite limited so possibly there is not convenient way for debugging. Personally I used binding.pry as a debugger. Please refer to the following article for more info.

Change in IAM role for EC2 instance not affecting already running EC2 instance

After many different approaches, it turned out that limiting my policy for a single queue was causing all the problems. I assumed that when policy applies to single queue and you do ListTopics, then you will get just the topic you have access to. However, my SNS had several other topics and most probably their existence in ListTopics result was considered a violation of policy. When I replaced particular topic name with '*' and saved the policy, then immidiatelly (no need for expiration of credentials or EC2 instance restarts) it started working.

Best Answer

Related Solutions

What permissions in IAM do i need to start EC2 instances with chef knife

Change in IAM role for EC2 instance not affecting already running EC2 instance

Related Topic