1

AWS Access Key ID and Secret Access Key

The sandbox-starter tool requires an AWS access and secret key to perform programmatic actions against your AWS account. Please refer to Managing access keys for IAM users for instructions on how to create those keys and best practices.

The user off whom the access keys are derived will need the following access at minimum to perform the actions of running the use cases within the Sandbox Starter Tool (SST).

The below JSON policy document is for example purposes only. It is recommended to secure it further by restricting the resource section to apply to the accounts and/or resources against which you intend to apply.

Note: these permissions are separate from what would be needed for a user who would need to launch the SST instance itself from the AMI. They are only for a user who needs to operate the SST.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:ImportKeyPair",
                "ec2:ModifyInstanceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::<account_id>:instance-profile/aviatrix-*",
                "arn:aws:iam::<account_id>:role/aviatrix-*",
                "arn:aws:iam::<account_id>:policy/aviatrix-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}
3replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
    • vjacheslav
    • vjacheslav
    • 7 mths ago
    • Reported - view

    hello,

    for myself I made a bit more constrained policy

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowParticularRegionEC2",
                "Effect": "Allow",
                "Action": [
                    "<all listed ec2 permissions from above>"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "aws:RequestedRegion": [
                            "eu-west-1"
                        ]
                    }
                }
            },
            {
                "Sid": "AllowParticularIamEntities",
                "Effect": "Allow",
                "Action": [
                    "<all listed iam permissions"
                ],
                "Resource": [
                    "arn:aws:iam::<account id>:instance-profile/aviatrix-*",
                    "arn:aws:iam::<account id>:role/aviatrix-*",
                    "arn:aws:iam::<account id>:policy/aviatrix-*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "sts:GetCallerIdentity"
                ],
                "Resource": "*"
            }
        ]
    }
    
    Like
    • vjacheslav Appreciate the feedback! I've validated your suggestions and have updated the post to include your recommendation.

      Like
    • Jun Ye
    • Jun_Ye
    • 6 mths ago
    • Reported - view

    When you are using Chrome/Edge, the 'Copy' button will generate some invisible Unicode characters which will screw up the policy.

     

    Workaround: Select the text manually and copy manually.

    Like 1
Like1 Follow
  • 1 Likes
  • 5 mths agoLast active
  • 3Replies
  • 846Views
  • 4 Following