3

I'm trying to set permissions on an IAM role that will submit a new spot instance request if needed. It will be used by a Lambda function.

The code does the following AWS API calls:

  • ec2.describeSpotInstanceRequests
  • ec2.requestSpotInstances
  • ec2.createTags

And I created for it the following policy (after trying a lot of other options...):

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Stmt1437749945000",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*",
            "ec2:RequestSpotInstances",
            "ec2:RunInstances",
            "ec2:CreateTags",
            "iam:List*"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

If I add iam:* it works, but obviously I don't want to do that..

Can anyone help me guessing what permission it really needs? Does anyone know of a map between AWS API calls and all required permissions?

Zach Moshe
  • 151
  • 7

1 Answers1

4

There is usually a one-to-one correspondence between ec2 API functions and the permissions. So most of what you have in your policy is fine.

You need to add the iam:PassRole permission. This is because your spot request is probably supplying an IAM role for your new EC2 Instances to run with.

The iam:PassRole permission is needed because your lambda role is potentially creating an instance with higher permissions than itself has. This could lead to dangerous security scenarios. So this extra permission is needed and usually it is restricted to a finite list of roles it can assign using the Resource property.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28