nebari-dev
Deploying Qhub on AWS without Admin rights #1366
Closed
rsignell-usgs
started this conversation in
Ideas
Replies: 2 comments 1 reply
-
|
Hey @rsignell-usgs thanks for initiating this discussion! I'd be happy to work with you on this :) |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Here's the policy that got generated: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcs",
"ec2:DisassociateRouteTable",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"resource-groups:CreateGroup",
"s3:ListAllMyBuckets",
"sts:GetCallerIdentity",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:internet-gateway/${InternetGatewayId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:route-table/${RouteTableId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:security-group-rule/${SecurityGroupRuleId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:ModifySubnetAttribute"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:DescribeVpcAttribute",
"ec2:DetachInternetGateway",
"ec2:ModifyVpcAttribute"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:vpc/${VpcId}"
},
{
"Effect": "Allow",
"Action": [
"ecr:DeleteRepository",
"ecr:ListTagsForResource"
],
"Resource": "arn:aws:ecr:${Region}:${Account}:repository/${RepositoryName}"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "arn:aws:kms:${Region}:${Account}:key/${KeyId}"
},
{
"Effect": "Allow",
"Action": [
"resource-groups:DeleteGroup",
"resource-groups:GetGroup",
"resource-groups:GetGroupQuery",
"resource-groups:GetTags"
],
"Resource": "arn:aws:resource-groups:${Region}:${Account}:group/${GroupName}"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:PutBucketTagging",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::${BucketName}"
}
]
} |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Heck yeah @rsignell-usgs!!! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
It would be nice to know the minimal policies needed to deploy Qhub on AWS.
AWS now has the ability to generate policies based on analyzing cloud trails logs.
The info is here: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-console
So we could:
I'd be happy to help with this. @iameskild we could try just redeploying/destroying the OGC Sprint deployment -- I would just need to generate new credentials for the "qhub-admin" user I created for that, and supply them to you!
Beta Was this translation helpful? Give feedback.
All reactions