...
Info |
---|
If you are creating new policies, prepending them with the same string will allow for easier retrieval when creating the role and selecting the policies assigned to it. |
Allow read of cost and usage data
Navigate to the IAM console and create a new policy with the json described permissions below
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" } ] } |
Allow Read of created secret
Find the secret name in the script output and replace {SecretNameHere} with the secret name and {AWS account ID} with your account id
...
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*" } ] } |
Allow management of DynamoDB and Simple Queue Service
Create the third policy:
Info |
---|
You will need to update this policy definition with your aws account ID. |
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "sqs:DeleteMessage", "sqs:GetQueueUrl", "dynamodb:UpdateTimeToLive", "dynamodb:DescribeTable", "sqs:ReceiveMessage", "dynamodb:Scan", "dynamodb:Query", "sqs:CreateQueue" ], "Resource": [ "arn:aws:dynamodb:*:{AWS account ID}:table/*bplm*", "arn:aws:sqs:*:{AWS account ID}:*bplm*" ] } ] } |
Allow s3 bucket tag get\set
Code Block |
---|
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetBucketTagging", "s3:PutBucketTagging" ], "Resource": "arn:aws:s3:::*" } ] } |
Allow EC2 tag management
Info |
---|
You will need to update this policy definition with your aws account ID. |
...