To create an AWS policy on the platform, you first need to enter the AWS Console via the link, create a new policy by clicking on “Create policy” and copy and paste the code below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*"
]
},
{
"Sid": "AllowEc2WithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Owner": "1p-agent"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Owner",
"Name",
"Environment"
]
}
}
},
{
"Sid": "AllowFunctionsWithRestrictions",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Owner": "1p-agent"
}
}
},
{
"Sid": "AllowFunctions1p",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"ec2:Describe*",
"rds:Describe*",
"elasticache:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
},
{
"Sid": "Manage1pAccessKeys",
"Effect": "Allow",
"Action": [
"iam:get*"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "SsmAllRegionsToAMis",
"Effect": "Allow",
"Action": "ssm:*",
"Resource": [
"arn:aws:s3:::*",
"arn:aws:ssm:*:*:opsmetadata/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ssm:*:*:parameter/*"
]
}
]
}
After creating the policy, go to the IAM Service, clicking on the link, with the AWS Console and create a user called 1p-agent. Click on “Policy actions” and “Attach” and add the policy to the 1p-agent user.
This policy allows:
EC2 provisions, controls, and administers instances with the TAG “1P”. Our agent doesn't use Keypair.
RDS, Elasticache, EC2, IAM, Cloudwatch and S3 in list and get requests types
EKS Full Access (Optional)
After this tutorial, check out the next steps to configure your cloud on the platform.