0

I try to use AWS EC2. There is a command

$ aws ec2 describe-instances

That answers:

A client error (UnauthorizedOperation) occurred when calling the DescribeInstances operation: You are not authorized to perform this operation.

But what are exact minimal policies
https://console.aws.amazon.com/iam/home?#policies
that should be allowed for User for this (or any another specific) command?

Nakilon
  • 128
  • 1
  • 1
  • 8

1 Answers1

1

But what are exact minimal policies https://console.aws.amazon.com/iam/home?#policies that should be allowed for User for this (or any another specific) command?

There is not a single "minimal" policy such as you ask with the exception of the "AdministratorAccess" policy which gives you the ability to do all commands. But having that much power is dangerous and should not be used without reason.

Each of the policies are designed for certain combinations of commands you may want to execute. Some are full-access for read-only functions (like the describe* functions) and have no power to "change" anything. Others are full control for certain AWS services (such as allowing EC2, but not RDS).

If you truly want "minimal", then the built-in policies are not what you want. Instead, you want to use the IAM Policy Generator to generate a custom policy specific for what you need to execute.

In your case, to execute aws ec2 describe-instances, you'll simply need ec2:DescribeInstances in a policy such as 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1432001253000",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

There is usually a one-to-one correspondence between commands and the policies necessary to execute them. For most AWS services (such as EC2 and RDS), the policy necessary mimics the name of the CLI/API command.

For example, ec2:DescribeInstances for aws ec2 describe-instances.

Unfortunately, for Amazon S3, the commands are a little different and not exactly one-to-one.

If you wanted to add aws ec2 describe-snapshots to your allowed commands, then you'd simply add ec2:DescribeSnapshots to the "Action" list in the above policy.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28