Permissions Required to Complete Deployment in AWS

Ability to create or assign policies\roles to an EC2 instance. An EC2 instance will be assigned role(s) with policies to read the secret’s key value pairs, management of select DynamoDB and SQS resources determined by a wildcard in the policy definition, read and set select S3 bucket tags, manage EC2 instance tags, and access to cost and usage data.

Create and manage a resource group in AWS.

Create and manage a secret in Secrets Manager.

Create\Manage an EC2 instance. This EC2 instance setup also will optionally create an SSL certificate.

Create\Manage networking components such as internet gateway, VPC, subnets, route tables, elastic IPs

Create\Manage a DNS entry in preferred hosted zone (if applicable)

Create\Manage an RDS instance, if applicable.

The LHO Service Principal should be assigned the Account Admin role in order to download the Billable Usage Log (used for reporting Databricks spend) and for listing all the workspaces to be later published in LHO.

Create\Edit an app registration and create\retrieve a client secret in the selected Azure Active Directory tenant. Ability to update the redirect URI property once determined.