github.com/juju/juju@v0.0.0-20240430160146-1752b71fcf00/provider/ec2/iam_docs.go

github.com/juju/juju@v0.0.0-20240430160146-1752b71fcf00/provider/ec2/iam_docs.go (about)

     1  // Copyright 2021 Canonical Ltd.
     2  // Licensed under the AGPLv3, see LICENCE file for details.
     3  
     4  package ec2
     5  
     6  const (
     7  	// controllerRoleAssumePolicy describes the polciy for the controller roll
     8  	// stating what principals can assume the role. We only allow ec2 instances
     9  	// in this case.
    10  	controllerRoleAssumePolicy = `{
    11    "Version": "2012-10-17",
    12    "Statement": [
    13      {
    14        "Effect": "Allow",
    15  	  "Principal": {
    16  	    "Service": "ec2.amazonaws.com"
    17  	  },
    18  	  "Action": "sts:AssumeRole"
    19  	}
    20    ]
    21  }
    22  `
    23  	// controllerRolePolicy is the AWS IAM policy used for controller role
    24  	// permissions. This JSON document must be kept in line with the AWS
    25  	// permissions used by Juju.
    26  	controllerRolePolicy = `{
    27    "Version": "2012-10-17",
    28    "Statement": [
    29      {
    30        "Sid": "JujuEC2Actions",
    31        "Effect": "Allow",
    32        "Action": [
    33          "ec2:AssociateIamInstanceProfile",
    34          "ec2:AttachVolume",
    35          "ec2:AuthorizeSecurityGroupIngress",
    36          "ec2:CreateSecurityGroup",
    37          "ec2:CreateTags",
    38          "ec2:CreateVolume",
    39          "ec2:DeleteSecurityGroup",
    40          "ec2:DeleteVolume",
    41          "ec2:DescribeAccountAttributes",
    42          "ec2:DescribeAvailabilityZones",
    43          "ec2:DescribeIamInstanceProfileAssociations",
    44          "ec2:DescribeInstances",
    45          "ec2:DescribeInstanceTypes",
    46          "ec2:DescribeInternetGateways",
    47          "ec2:DescribeNetworkInterfaces",
    48          "ec2:DescribeRouteTables",
    49          "ec2:DescribeSecurityGroups",
    50          "ec2:DescribeSpotPriceHistory",
    51          "ec2:DescribeSubnets",
    52          "ec2:DescribeVolumes",
    53          "ec2:DescribeVpcs",
    54          "ec2:DetachVolume",
    55          "ec2:RevokeSecurityGroupIngress",
    56          "ec2:RunInstances",
    57          "ec2:TerminateInstances"
    58        ],
    59        "Resource": "*"
    60      },
    61      {
    62        "Sid": "JujuIAMActions",
    63        "Effect": "Allow",
    64        "Action": [
    65  	    "iam:AddRoleToInstanceProfile",
    66          "iam:CreateInstanceProfile",
    67  		"iam:CreateRole",
    68  		"iam:DeleteInstanceProfile",
    69  		"iam:DeleteRole",
    70  		"iam:DeleteRolePolicy",
    71          "iam:GetInstanceProfile",
    72  		"iam:GetRole",
    73  		"iam:ListInstanceProfiles",
    74  		"iam:ListRolePolicies",
    75  		"iam:ListRoles",
    76  		"iam:PassRole",
    77  		"iam:PutRolePolicy",
    78  		"iam:RemoveRoleFromInstanceProfile"
    79        ],
    80        "Resource": "*"
    81      },
    82      {
    83        "Sid": "JujuSSMActions",
    84        "Effect": "Allow",
    85        "Action": [
    86          "ssm:ListInstanceAssociations",
    87          "ssm:UpdateInstanceInformation"
    88        ],
    89        "Resource": "*"
    90      }
    91    ]
    92  }
    93  `
    94  )