To create an AWS policy in the platform, follow these steps:
- First, log in to the AWS Console using this link.
- Once you are logged in, navigate to the IAM (Identity and Access Management) service.
- In the IAM dashboard, click on “Policies” in the left-hand menu.
- Click on the “Create policy” button to create a new policy.
- Select the “JSON” tab.
- Copy and paste the provided JSON code below into the policy editor.
Policy Content
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowEc2WithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Owner": "1p-agent"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Owner",
"Name",
"Environment"
]
}
}
},
{
"Sid": "AllowFunctionsWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "1p-agent"
}
}
},
{
"Sid": "AllowFunctions1p",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"ec2:Describe*",
"rds:Describe*",
"elasticache:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Sid": "Manage1pAccessKeys",
"Effect": "Allow",
"Action": [
"iam:get*"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "SsmAllRegionsToAMis",
"Effect": "Allow",
"Action": "ssm:*",
"Resource": [
"arn:aws:s3:::*",
"arn:aws:ssm:*:*:opsmetadata/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:parameter/*"
]
}
]
}
After creating the policy, follow the steps below to create a user named “1p-agent” and attach the policy to that user in the IAM service of the AWS Console:
-
Click on this link to access the AWS Console.
- Click in “Policy actions”, then “Attach”.
- Attach the policy to the user “1p-agent”.
The policy you created allows the following actions:
-
EC2: Provisioning, controlling, and administering instances with the specified tag “1P”. The agent does not use KeyPair.
-
RDS, ElastiCache, EC2, IAM, CloudWatch, and S3: It grants permissions to List and Get requests types for these services.
-
EKS (Amazon Elastic Kubernetes Service) Full Access (optional): If
you included this permission, it provides full access to the Amazon EKS
service, allowing the user to manage Kubernetes clusters and related
resources.
