suitable IAM permissions for cicd

[Dylan Humphreys]

Hi Everyone.

Been using molecule for a while now, and its no exaggeration to say that its vastly improved the quality of roles I write. Im aiming to use molecule and the ec2 driver in a cicd pipeline, and wondered if I can get pointers on what IAM permissions are needed to simply stand up an ec2 instance and destroy it? + anything else the driver might do ... (like describe an instance, Associate an elastic IP?, set some security groups? ) Not sure where to look so any pointers are greatly appreciated.

It sounds like the sort of thing someone is already doing, and perhaps they read this! :D

Thanks in advance

Dylan

[Dylan Humphreys]

So via process of "start with nothing, and add permissions to get a step further" I managed to get this:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeKeyPairs",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"rds:RestoreDBClusterToPointInTime",
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:DeleteDBCluster"
],
"Resource": [
"arn:aws:rds:*:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSubnets",
"ec2:CreateTags",
"ec2:DescribeTags"
],
"Resource": [
"*"
]
}
]
}

[Dylan Humphreys]

Except indented properly... natch.