Skip to content

Commit cd769a7

Browse files
akarveakarve
authored
Service role for stack installation and deletion (#4117)
1 parent 84971e4 commit cd769a7

File tree

2 files changed

+117
-14
lines changed

2 files changed

+117
-14
lines changed

docs/cfn-service-role.yml renamed to docs/cfn-service-role.yaml

Lines changed: 114 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,31 +11,51 @@ Resources:
1111
Service: cloudformation.amazonaws.com
1212
Action: sts:AssumeRole
1313
Policies:
14-
- PolicyName: root
14+
- PolicyName: QuiltServiceRolePolicy
1515
PolicyDocument:
1616
Version: '2012-10-17'
1717
Statement:
1818
- Effect: Allow
1919
Action:
2020
- apigateway:DELETE
2121
- apigateway:GET
22-
- apigateway:GetResources
2322
- apigateway:PATCH
2423
- apigateway:POST
2524
- apigateway:PUT
25+
- apigateway:SetWebACL
2626
- apigateway:UpdateRestApiPolicy
27+
- appsync:SetWebACL
28+
- apprunner:AssociateWebAcl
29+
- apprunner:DescribeWebAclForService
30+
- apprunner:DisassociateWebAcl
31+
- athena:CreateWorkGroup
32+
- athena:DeleteWorkGroup
33+
- athena:GetWorkGroup
34+
- athena:TagResource
2735
- autoscaling:CreateAutoScalingGroup
2836
- autoscaling:DeleteAutoScalingGroup
2937
- autoscaling:DescribeAutoScalingGroups
3038
- autoscaling:DescribeAutoScalingInstances
39+
- autoscaling:DescribeLifecycleHooks
40+
- autoscaling:DescribeNotificationConfigurations
3141
- autoscaling:DescribeScalingActivities
3242
- autoscaling:UpdateAutoScalingGroup
43+
- cloudtrail:AddTags
3344
- cloudtrail:CreateTrail
3445
- cloudtrail:DeleteTrail
3546
- cloudtrail:DescribeTrails
47+
- cloudtrail:GetEventSelectors
48+
- cloudtrail:GetInsightSelectors
49+
- cloudtrail:GetTrail
50+
- cloudtrail:GetTrailStatus
51+
- cloudtrail:ListTags
3652
- cloudtrail:PutEventSelectors
3753
- cloudtrail:StartLogging
54+
- cognito-idp:AssociateWebACL
55+
- cognito-idp:DisassociateWebACL
56+
- cognito-idp:GetWebACLForResource
3857
- ec2:AssociateRouteTable
58+
- ec2:AssociateVerifiedAccessInstanceWebAcl
3959
- ec2:AttachInternetGateway
4060
- ec2:AuthorizeSecurityGroupEgress
4161
- ec2:AuthorizeSecurityGroupIngress
@@ -49,6 +69,7 @@ Resources:
4969
- ec2:CreateVpc
5070
- ec2:DeleteInternetGateway
5171
- ec2:DeleteLaunchTemplate
72+
- ec2:DeleteNetworkInterface
5273
- ec2:DeleteRoute
5374
- ec2:DeleteRouteTable
5475
- ec2:DeleteSecurityGroup
@@ -62,13 +83,18 @@ Resources:
6283
- ec2:DescribeLaunchTemplateVersions
6384
- ec2:DescribeLaunchTemplates
6485
- ec2:DescribeNetworkAcls
86+
- ec2:DescribeNetworkInterfaces
6587
- ec2:DescribeRouteTables
88+
- ec2:DescribeSecurityGroupRules
6689
- ec2:DescribeSecurityGroups
6790
- ec2:DescribeSubnets
6891
- ec2:DescribeVpcAttribute
6992
- ec2:DescribeVpcs
7093
- ec2:DetachInternetGateway
94+
- ec2:DetachNetworkInterface
7195
- ec2:DisassociateRouteTable
96+
- ec2:DisassociateVerifiedAccessInstanceWebAcl
97+
- ec2:GetVerifiedAccessInstanceWebAcl
7298
- ec2:ModifyVpcAttribute
7399
- ec2:RevokeSecurityGroupEgress
74100
- ec2:RunInstances
@@ -82,6 +108,9 @@ Resources:
82108
- ecs:DescribeClusters
83109
- ecs:DescribeServices
84110
- ecs:RegisterTaskDefinition
111+
- ecs:TagResource
112+
- ecs:UpdateService
113+
- elasticloadbalancing:AddTags
85114
- elasticloadbalancing:CreateListener
86115
- elasticloadbalancing:CreateLoadBalancer
87116
- elasticloadbalancing:CreateRule
@@ -91,28 +120,44 @@ Resources:
91120
- elasticloadbalancing:DeleteRule
92121
- elasticloadbalancing:DeleteTargetGroup
93122
- elasticloadbalancing:DescribeListeners
123+
- elasticloadbalancing:DescribeLoadBalancerAttributes
94124
- elasticloadbalancing:DescribeLoadBalancers
95125
- elasticloadbalancing:DescribeRules
126+
- elasticloadbalancing:DescribeTags
127+
- elasticloadbalancing:DescribeTargetGroupAttributes
96128
- elasticloadbalancing:DescribeTargetGroups
129+
- elasticloadbalancing:DescribeTargetHealth
97130
- elasticloadbalancing:ModifyLoadBalancerAttributes
98131
- elasticloadbalancing:ModifyTargetGroupAttributes
132+
- elasticloadbalancing:SetWebAcl
133+
- es:AddTags
99134
- es:CreateElasticsearchDomain
100135
- es:DeleteElasticsearchDomain
101136
- es:DescribeElasticsearchDomain
137+
- es:UpdateElasticsearchDomainConfig
102138
- events:DeleteRule
103139
- events:DescribeRule
140+
- events:ListTargetsByRule
104141
- events:PutRule
105142
- events:PutTargets
106143
- events:RemoveTargets
144+
- events:TagResource
145+
- firehose:CreateDeliveryStream
146+
- firehose:DeleteDeliveryStream
147+
- firehose:DescribeDeliveryStream
148+
- firehose:ListTagsForDeliveryStream
149+
- firehose:TagDeliveryStream
107150
- glue:CreateDatabase
108151
- glue:CreateTable
109152
- glue:DeleteDatabase
110153
- glue:DeleteTable
154+
- glue:TagResource
111155
- iam:AddRoleToInstanceProfile
112156
- iam:AttachRolePolicy
113157
- iam:CreateInstanceProfile
114158
- iam:CreatePolicy
115159
- iam:CreateRole
160+
- iam:CreateServiceLinkedRole
116161
- iam:DeleteInstanceProfile
117162
- iam:DeletePolicy
118163
- iam:DeletePolicyVersion
@@ -127,6 +172,20 @@ Resources:
127172
- iam:PassRole
128173
- iam:PutRolePolicy
129174
- iam:RemoveRoleFromInstanceProfile
175+
- iam:TagRole
176+
- iam:TagPolicy
177+
- kms:CreateGrant
178+
- kms:CreateKey
179+
- kms:Decrypt
180+
- kms:DescribeKey
181+
- kms:Encrypt
182+
- kms:GenerateDataKey
183+
- kms:GetKeyPolicy
184+
- kms:GetKeyRotationStatus
185+
- kms:ListResourceTags
186+
- kms:PutKeyPolicy
187+
- kms:ScheduleKeyDeletion
188+
- kms:TagResource
130189
- lambda:AddPermission
131190
- lambda:CreateEventSourceMapping
132191
- lambda:CreateFunction
@@ -135,42 +194,86 @@ Resources:
135194
- lambda:DeleteLayerVersion
136195
- lambda:GetEventSourceMapping
137196
- lambda:GetFunction
197+
- lambda:GetFunctionCodeSigningConfig
198+
- lambda:GetFunctionConfiguration
138199
- lambda:GetLayerVersion
200+
- lambda:GetRuntimeManagementConfig
139201
- lambda:InvokeFunction
140202
- lambda:PublishLayerVersion
203+
- lambda:PublishVersion
141204
- lambda:PutFunctionConcurrency
142205
- lambda:RemovePermission
206+
- lambda:TagResource
143207
- lambda:UpdateFunctionCode
144208
- lambda:UpdateFunctionConfiguration
145209
- logs:CreateLogGroup
210+
- logs:CreateLogStream
146211
- logs:DeleteLogGroup
212+
- logs:DeleteLogStream
147213
- logs:DeleteResourcePolicy
148214
- logs:DescribeLogGroups
215+
- logs:DescribeLogStreams
149216
- logs:DescribeResourcePolicies
150217
- logs:PutResourcePolicy
151218
- logs:PutRetentionPolicy
219+
- logs:TagResource
220+
- organizations:ListAWSServiceAccessForOrganization
152221
- rds:AddTagsToResource
153222
- rds:CreateDBInstance
154223
- rds:CreateDBSubnetGroup
224+
- rds:CreateTenantDatabase
155225
- rds:DeleteDBInstance
156226
- rds:DeleteDBSubnetGroup
227+
- rds:DeleteTenantDatabase
157228
- rds:DescribeDBInstances
158229
- rds:DescribeDBSubnetGroups
230+
- rds:ListTagsForResource
159231
- rds:ModifyDBInstance
160-
- s3:CreateBucket
161-
- s3:DeleteBucket
162-
- s3:DeleteBucketPolicy
163-
- s3:GetBucketPolicy
164-
- s3:GetObject
165-
- s3:PutBucketCORS
166-
- s3:PutBucketPolicy
167-
- s3:PutBucketVersioning
168-
- s3:PutLifecycleConfiguration
232+
- route53:CreateHostedZone
233+
- s3:* # Stack has this anyway; Canary buckets get Access Denied even with GetObject
234+
- secretsmanager:CreateSecret
235+
- secretsmanager:TagResource
236+
- servicediscovery:CreatePrivateDnsNamespace
237+
- servicediscovery:CreateService
238+
- servicediscovery:DeleteNamespace
239+
- servicediscovery:DeleteService
240+
- servicediscovery:GetOperation
241+
- servicediscovery:GetService
242+
- servicediscovery:TagResource
243+
- sns:CreateTopic*
244+
- sns:DeleteTopic
245+
- sns:Get*
169246
- sns:Publish # To publish to CFN notification topic.
247+
- sns:SetTopicAttributes
248+
- sns:Subscribe
249+
- sns:TagResource
170250
- sqs:CreateQueue
171251
- sqs:DeleteQueue
172252
- sqs:GetQueueAttributes
253+
- sqs:TagQueue
254+
- ssm:AddTagsToResource
173255
- ssm:DeleteParameter
174256
- ssm:GetParameters
175257
- ssm:PutParameter
258+
- synthetics:CreateCanary
259+
- synthetics:DeleteCanary
260+
- synthetics:GetCanary
261+
- synthetics:StartCanary
262+
- synthetics:StopCanary
263+
- synthetics:TagResource
264+
- wafv2:AssociateWebACL
265+
- wafv2:CreateRegexPatternSet
266+
- wafv2:CreateWebACL
267+
- wafv2:DeleteRegexPatternSet
268+
- wafv2:DeleteWebACL
269+
- wafv2:DisassociateWebACL
270+
- wafv2:GetRegexPatternSet
271+
- wafv2:GetWebACL
272+
- wafv2:GetWebACLForResource
273+
- wafv2:ListTagsForResource
274+
- wafv2:TagResource
176275
Resource: '*'
276+
Outputs:
277+
QuiltServiceRoleArn:
278+
Description: "ARN of the Quilt Service IAM Role"
279+
Value: !GetAtt QuiltCloudFormationServiceRole.Arn

docs/technical-reference.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -145,11 +145,11 @@ You will need the following:
145145
```
146146
1. **IAM Permissions** to create the CloudFormation stack (or Add products in
147147
Service Catalog).
148-
1. We recommend that you use a
148+
1. You may choose to use a
149149
[CloudFormation service role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html)
150150
for stack creation and updates.
151-
1. See this [example service role](./cfn-service-role.yml) for minimal permissions
152-
to install a Quilt stack.
151+
1. Refer to this [example service role](./cfn-service-role.yml)
152+
and modify as needed to fit your use case.
153153

154154
> Ensure that your service role is up-to-date with the example before every stack
155155
update so as to prevent installation failures.

0 commit comments

Comments
 (0)