Juju AWS Permissions

tlm · 8 November 2021 22:16

We often get asked to provide a list of permissions for the various clouds that Juju supports. Due to recent work around enabling Juju to use AWS Instance Profiles we have been developing a set of base AWS permissions that a Juju controller requires in order to operate.

This is a welcome addition to Juju’s documentation allowing operators to assert more controls over the security policies used for Juju and enable a better least privilege environment for their Juju infrastructure.

The following is a tailored Juju AWS policy defining all of the permissions a Juju controller needs within an AWS environment to operate.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "JujuEC2Actions",
      "Effect": "Allow",
      "Action": [
        "ec2:AssociateIamInstanceProfile",
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeIamInstanceProfileAssociations",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceTypeOfferings",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSpotPriceHistory",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:DetachVolume",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RunInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "JujuIAMActions",
      "Effect": "Allow",
      "Action": [
            "iam:AddRoleToInstanceProfile",
            "iam:CreateInstanceProfile",
            "iam:CreateRole",
            "iam:DeleteInstanceProfile",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:GetInstanceProfile",
            "iam:GetRole",
            "iam:ListInstanceProfiles",
            "iam:ListRolePolicies",
            "iam:ListRoles",
            "iam:PassRole",
            "iam:PutRolePolicy",
            "iam:RemoveRoleFromInstanceProfile"
      ],
      "Resource": "*"
    },
    {
      "Sid": "JujuSSMActions",
      "Effect": "Allow",
      "Action": [
        "ssm:ListInstanceAssociations",
        "ssm:UpdateInstanceInformation"
      ],
      "Resource": "*"
    }
  ]
}

It’s our goal that over time we will continue to develop this list and keep it updated and integrate the permission creation into Juju’s Instance Profile functionality.

As always we welcome feedback from the community on how we can better document these permissions and make Juju more secure.

erik-lonroth · 17 December 2021 19:04

@jamesbeedy is this the missing piece for auth using aws we’ve been talking about ?

emcp · 18 December 2021 12:02

I have to say, as someone right now using AWS and having to grant EC2 full admin access to the juju user… this list is VERY helpful and appreciated. Big thanks !

I do not yet use advanced juju features but am very curious about these IAM permissions, the SSM permissions… looks like further progress has been made to allow you to control things from Juju rather than the AWS GUI ? if so that’s very cool and I’d love to hear more details…

Once I’ve settled down my setup… I am planning to document a “How to start using Juju in a VPC” with some end-to-end step by step setup instructions… in hopes it helps others who do not have linux boxes use Juju

tlm · 7 January 2022 03:46

Thank you for the feedback. Please let us know if we can drill down on this information more or if anything is unclear.