Minimal permissions for AWS provisioning
For provisioning from the AWS cloud, the designated IAM user must be
assigned permissions to access Amazon EC2 resources. You can allow complete EC2 access to provision
AWS resources by assigning the AmazonEC2FullAccess policy, the
AmazonEC2SpotFleetTaggingRole policy, or both. However, for restricted access,
assign a minimal set of permissions to the designated IAM user. Without these minimal permissions,
provisioning from AWS will fail.
| AWS permissions | "priceType": "ondemand" | "priceType": "spot" | "priceType": "heterogeneous" | |
|---|---|---|---|---|
| Permission Name | Description | |||
ec2:RunInstances |
To request new instances | Yes | Yes | Yes |
ec2:TerminateInstances |
To remove instances | Yes | Yes | Yes |
ec2:DescribeInstances |
To check status of instances | Yes | Yes | Yes |
ec2:DescribeSpotInstanceRequests |
To check status of instances | Yes | Yes | Yes |
ec2:DescribeAccountAttributes |
To get quota associated with an account | Yes | Yes | Yes |
ec2:RequestSpotFleet |
To create a Spot Fleet request | Yes | Yes | |
ec2:CancelSpotFleetRequests |
To cancel a Spot Fleet request | Yes | Yes | |
ec2:DescribeSpotFleetRequests |
To check status of a Spot Fleet request | Yes | Yes | |
ec2:DescribeSpotFleetInstances |
To check status of instances under a specific Spot Fleet | Yes | Yes | |
ec2:DescribeSpotInstanceRequests |
To check status of a specific Spot instance | Yes | Yes | |
iam:PassRole |
For the role that grants the Spot Fleet permissions | Yes | Yes | |
ec2:GetLaunchTemplateData |
To read launch template data | Yes | ||
ec2:DescribeLaunchTemplates |
To describe a launch template | Yes | ||
ec2:CreateLaunchTemplate |
To create a launch template | Yes | ||
ec2:DeleteLaunchTemplate |
To delete a launch template | Yes | ||
Some extended functionality in the awsprov_templates.json file, such as the ability to pass an IAM
instance profile to provisioned instances ("instanceProfile"), add tags to
provisioned instances ("instanceTags"), or configure a root device volume size for
Elastic Block Store-backed AMIs ("rootDeviceVolumeSize"), requires additional
permissions.
ondemand, spot, or
heterogeneous provisioning.| Feature | AWS permissions | "priceType": "ondemand" | "priceType": "spot" | "priceType": "heterogeneous" | |
|---|---|---|---|---|---|
| Permission Name | Description | ||||
| "instanceProfile" | iam:PassRole |
To grant an IAM user permission to pass a role | Yes | Yes | Yes |
| "instanceTags" | ec2:CreateTags |
To create an instance tag | Yes | No | No |
| "rootDeviceVolumeSize" | ec2:DescribeImages |
To describe images available to the IAM user | Yes | Yes | Yes |
To verify provisioning from the AWS console, you might need additional permissions (for example,
ec2:DescribeInstanceStatus to show instance status,
ec2:DescribeTags to show tags, or ec2:DescribeVolumes to show
Elastic Block Store volumes).