Infrastructure Management (IAM Role -- Assume Role Identity)
Role Name:
Bebop-Admin-Role
Tasks performed:
KMS management for Encrypted Disks
Access MarketPlace for CentOS 7 AMI
Setup SNS and Cloudwatch to send notifications to MCP
Create support tickets for quota increase.
Policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"support:*",
"ec2:*",
"sns:*",
"kms:*",
"logs:*",
"cloudwatch:*"
"events:*",
"route53:*",
"aws-marketplace:*",
"iam:PassRole",
"aws-portal:ViewAccount",
"aws-portal:ViewBilling",
"aws-portal:ViewUsage"
],
"Resource": "*"
}]
}
Application Service User
User:
bebopserviceuser
Tasks performed:
Launch, start, stop and terminate EC2 instances by BeBop application.
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*ServiceSpecificCredential*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
}
]
}
Initial Setup User
Username:
terraform
Tasks performed:
Initial infra setup
Note: terraform user can be removed once BeBop on-boarding is done.
Policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:*",
"sns:*",
"kms:*",
"logs:*",
"cloudwatch:*",
"events:*",
"aws-marketplace:*",
"iam:PassRole"
],
"Resource": "*"
}]
}
Roles Needed:
prometheus
Tasks performed:
Used by AWS service discovery to find running instances
IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}