Document minimal IAM Role for launching instance

probably-not · Jan 6, 2025 · 172f280 · 172f280
1 parent 0985885
commit 172f280
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/lib/flame_ec2.ex b/lib/flame_ec2.ex
@@ -29,6 +29,52 @@ defmodule FlameEC2 do
 
   ```json
   {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Sid": "ec2RunInstances",
+              "Effect": "Allow",
+              "Action": [
+                  "ec2:DescribeTags",
+                  "ec2:CreateTags",
+                  "ec2:DeleteTags",
+                  "ec2:RunInstances"
+              ],
+              "Resource": "*"
+          },
+          {
+              "Sid": "ssmParameters",
+              "Effect": "Allow",
+              "Action": [
+                  "ssm:GetParameters"
+              ],
+              "Resource": "*"
+          },
+          {
+              "Sid": "iamRolePassing",
+              "Effect": "Allow",
+              "Action": [
+                  "iam:PassRole"
+              ],
+              "Resource": [
+                  "arn:aws:iam::*:instance-profile/*"
+              ],
+              "Condition": {
+                  "StringEquals": {
+                      "iam:PassedToService": "ec2.amazonaws.com"
+                  }
+              }
+          },
+          {
+              "Sid": "s3GetRelease",
+              "Effect": "Allow",
+              "Action": [
+                  "s3:ListBucket",
+                  "s3:GetObject"
+              ],
+              "Resource": "*"
+          }
+      ]
   }
   ```