Skip to content

Commit 79229c6

Browse files
marcelovillamarcelovilla
committed
Add example IAM policies with minimum permissions to deploy and destroy Nebari on AWS
1 parent 51d2bd6 commit 79229c6

File tree

2 files changed

+499
-0
lines changed

2 files changed

+499
-0
lines changed

docs/static/policies/aws/deploy.json

Lines changed: 283 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,283 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"ec2:CreateTags",
8+
"ec2:DescribeAvailabilityZones",
9+
"ec2:DescribeInstanceTypes",
10+
"ec2:DescribeInternetGateways",
11+
"ec2:DescribeNetworkAcls",
12+
"ec2:DescribeRegions",
13+
"ec2:DescribeRouteTables",
14+
"ec2:DescribeSecurityGroups",
15+
"ec2:DescribeSubnets",
16+
"ec2:DescribeVpcs",
17+
"eks:CreateCluster",
18+
"eks:DescribeAddonVersions",
19+
"elasticfilesystem:CreateFileSystem",
20+
"iam:GetOpenIDConnectProvider",
21+
"iam:GetPolicy",
22+
"iam:GetPolicyVersion",
23+
"iam:TagOpenIDConnectProvider",
24+
"kms:CreateKey",
25+
"kms:DescribeKey",
26+
"kms:ListKeys",
27+
"resource-groups:CreateGroup",
28+
"sts:GetCallerIdentity"
29+
],
30+
"Resource": "*"
31+
},
32+
{
33+
"Effect": "Allow",
34+
"Action": [
35+
"s3:CreateBucket",
36+
"s3:GetAccelerateConfiguration",
37+
"s3:GetBucketAcl",
38+
"s3:GetBucketCORS",
39+
"s3:GetBucketLogging",
40+
"s3:GetBucketObjectLockConfiguration",
41+
"s3:GetBucketPolicy",
42+
"s3:GetBucketPublicAccessBlock",
43+
"s3:GetBucketRequestPayment",
44+
"s3:GetBucketTagging",
45+
"s3:GetBucketVersioning",
46+
"s3:GetBucketWebsite",
47+
"s3:GetEncryptionConfiguration",
48+
"s3:GetLifecycleConfiguration",
49+
"s3:GetReplicationConfiguration",
50+
"s3:ListBucket",
51+
"s3:PutBucketPublicAccessBlock",
52+
"s3:PutBucketTagging",
53+
"s3:PutBucketVersioning",
54+
"s3:PutEncryptionConfiguration"
55+
],
56+
"Resource": "arn:aws:s3:::PROJECT_NAME-NAMESPACE-terraform-state"
57+
},
58+
{
59+
"Effect": "Allow",
60+
"Action": [
61+
"dynamodb:CreateTable",
62+
"dynamodb:DeleteItem",
63+
"dynamodb:DescribeContinuousBackups",
64+
"dynamodb:DescribeTable",
65+
"dynamodb:DescribeTimeToLive",
66+
"dynamodb:GetItem",
67+
"dynamodb:ListTagsOfResource",
68+
"dynamodb:PutItem",
69+
"dynamodb:TagResource"
70+
],
71+
"Resource": "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/PROJECT_NAME-NAMESPACE-terraform-state-lock"
72+
},
73+
{
74+
"Effect": "Allow",
75+
"Action": [
76+
"kms:EnableKeyRotation",
77+
"kms:GetKeyPolicy",
78+
"kms:GetKeyRotationStatus",
79+
"kms:ListResourceTags"
80+
],
81+
"Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/*"
82+
},
83+
{
84+
"Effect": "Allow",
85+
"Action": [
86+
"ecr:CreateRepository",
87+
"ecr:DescribeRepositories",
88+
"ecr:ListTagsForResource",
89+
"ecr:TagResource"
90+
],
91+
"Resource": "arn:aws:ecr:REGION:ACCOUNT_ID:repository/PROJECT_NAME-NAMESPACE-jupyterlab"
92+
},
93+
{
94+
"Effect": "Allow",
95+
"Action": [
96+
"ec2:CreateVpc",
97+
"ec2:DescribeVpcAttribute",
98+
"ec2:ModifyVpcAttribute"
99+
],
100+
"Resource": "arn:aws:ec2:REGION:ACCOUNT_ID:vpc/*"
101+
},
102+
{
103+
"Effect": "Allow",
104+
"Action": [
105+
"iam:AttachRolePolicy",
106+
"iam:CreateRole",
107+
"iam:GetRole",
108+
"iam:ListAttachedRolePolicies",
109+
"iam:ListRolePolicies",
110+
"iam:TagRole"
111+
],
112+
"Resource": "arn:aws:iam::ACCOUNT_ID:role/*"
113+
},
114+
{
115+
"Effect": "Allow",
116+
"Action": [
117+
"iam:CreatePolicy"
118+
],
119+
"Resource": "arn:aws:iam::ACCOUNT_ID:policy/*"
120+
},
121+
{
122+
"Effect": "Allow",
123+
"Action": [
124+
"resource-groups:GetGroup",
125+
"resource-groups:GetGroupConfiguration",
126+
"resource-groups:GetGroupQuery",
127+
"resource-groups:GetTags",
128+
"resource-groups:Tag"
129+
],
130+
"Resource": "arn:aws:resource-groups:REGION:ACCOUNT_ID:group/PROJECT_NAME"
131+
},
132+
{
133+
"Effect": "Allow",
134+
"Action": [
135+
"elasticfilesystem:CreateMountTarget",
136+
"elasticfilesystem:DescribeFileSystems",
137+
"elasticfilesystem:DescribeLifecycleConfiguration",
138+
"elasticfilesystem:TagResource"
139+
],
140+
"Resource": "arn:aws:elasticfilesystem:REGION:ACCOUNT_ID:file-system/*"
141+
},
142+
{
143+
"Effect": "Allow",
144+
"Action": [
145+
"ec2:CreateSubnet"
146+
],
147+
"Resource": [
148+
"arn:aws:ec2:REGION:ACCOUNT_ID:subnet/*",
149+
"arn:aws:ec2:REGION:ACCOUNT_ID:vpc/*"
150+
]
151+
},
152+
{
153+
"Effect": "Allow",
154+
"Action": [
155+
"ec2:CreateInternetGateway"
156+
],
157+
"Resource": "arn:aws:ec2:REGION:ACCOUNT_ID:internet-gateway/*"
158+
},
159+
{
160+
"Effect": "Allow",
161+
"Action": [
162+
"ec2:AuthorizeSecurityGroupEgress",
163+
"ec2:AuthorizeSecurityGroupIngress",
164+
"ec2:CreateSecurityGroup",
165+
"ec2:RevokeSecurityGroupEgress"
166+
],
167+
"Resource": [
168+
"arn:aws:ec2:REGION:ACCOUNT_ID:security-group/*",
169+
"arn:aws:ec2:REGION:ACCOUNT_ID:vpc/*"
170+
]
171+
},
172+
{
173+
"Effect": "Allow",
174+
"Action": [
175+
"ec2:AttachInternetGateway"
176+
],
177+
"Resource": [
178+
"arn:aws:ec2:REGION:ACCOUNT_ID:internet-gateway/*",
179+
"arn:aws:ec2:REGION:ACCOUNT_ID:vpc/*"
180+
]
181+
},
182+
{
183+
"Effect": "Allow",
184+
"Action": [
185+
"ec2:AssociateRouteTable",
186+
"ec2:ModifySubnetAttribute"
187+
],
188+
"Resource": "arn:aws:ec2:REGION:ACCOUNT_ID:subnet/*"
189+
},
190+
{
191+
"Effect": "Allow",
192+
"Action": [
193+
"ec2:CreateRouteTable"
194+
],
195+
"Resource": [
196+
"arn:aws:ec2:REGION:ACCOUNT_ID:route-table/*",
197+
"arn:aws:ec2:REGION:ACCOUNT_ID:vpc/*"
198+
]
199+
},
200+
{
201+
"Effect": "Allow",
202+
"Action": [
203+
"ec2:AssociateRouteTable",
204+
"ec2:CreateRoute"
205+
],
206+
"Resource": "arn:aws:ec2:REGION:ACCOUNT_ID:route-table/*"
207+
},
208+
{
209+
"Effect": "Allow",
210+
"Action": [
211+
"iam:PassRole"
212+
],
213+
"Resource": "arn:aws:iam::ACCOUNT_ID:role/PROJECT_NAME-NAMESPACE-eks-cluster-role"
214+
},
215+
{
216+
"Effect": "Allow",
217+
"Action": [
218+
"elasticfilesystem:DescribeMountTargetSecurityGroups",
219+
"elasticfilesystem:DescribeMountTargets"
220+
],
221+
"Resource": "arn:aws:elasticfilesystem:REGION:ACCOUNT_ID:file-system/*"
222+
},
223+
{
224+
"Effect": "Allow",
225+
"Action": [
226+
"eks:CreateAddon",
227+
"eks:CreateNodegroup",
228+
"eks:DescribeCluster",
229+
"eks:ListNodegroups",
230+
"eks:TagResource"
231+
],
232+
"Resource": "arn:aws:eks:REGION:ACCOUNT_ID:cluster/PROJECT_NAME-NAMESPACE"
233+
},
234+
{
235+
"Effect": "Allow",
236+
"Action": [
237+
"iam:PassRole"
238+
],
239+
"Resource": "arn:aws:iam::ACCOUNT_ID:role/PROJECT_NAME-NAMESPACE-eks-node-group-role"
240+
},
241+
{
242+
"Effect": "Allow",
243+
"Action": [
244+
"eks:DescribeNodegroup"
245+
],
246+
"Resource": "arn:aws:eks:REGION:ACCOUNT_ID:nodegroup/PROJECT_NAME-NAMESPACE/*"
247+
},
248+
{
249+
"Effect": "Allow",
250+
"Action": [
251+
"eks:DescribeAddon"
252+
],
253+
"Resource": "arn:aws:eks:REGION:ACCOUNT_ID:addon/PROJECT_NAME-NAMESPACE/*"
254+
},
255+
{
256+
"Effect": "Allow",
257+
"Action": [
258+
"iam:CreateOpenIDConnectProvider"
259+
],
260+
"Resource": "arn:aws:iam::ACCOUNT_ID:oidc-provider/*"
261+
},
262+
{
263+
"Effect": "Allow",
264+
"Action": [
265+
"autoscaling:CreateOrUpdateTags"
266+
],
267+
"Resource": "arn:aws:autoscaling:REGION:ACCOUNT_ID:autoScalingGroup:*:autoScalingGroupName/*"
268+
},
269+
{
270+
"Effect": "Allow",
271+
"Action": [
272+
"s3:GetObject",
273+
"s3:GetObjectTagging",
274+
"s3:GetObjectVersion",
275+
"s3:ListMultipartUploadParts",
276+
"s3:PutObject",
277+
"s3:PutObjectAcl",
278+
"s3:PutObjectTagging"
279+
],
280+
"Resource": "arn:aws:s3:::PROJECT_NAME-NAMESPACE-terraform-state/*"
281+
}
282+
]
283+
}

0 commit comments

Comments
 (0)