Skip to main content
Asked a question 4 years ago

How do I set Amazon AWS cloud bursting policies for Bright?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

Setting Amazon AWS Cloudbursting policies

Policies in AWS are implemented from the AWS console for the region. For EU-West-1 the URL to manage policies is currently:
https://console.aws.amazon.com/iam/home?region=eu-west-1#policies1

An option to "create a new policy" can be selected there.
The following restrictive policy allows a more fine-grained access to AWS resources for the cloudbursting feature of Bright Cluster Manager:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "iam:Get*",
               "iam:List*",
               "iam:PassRole"
           ],
           "Resource": "*"
       },
       {
           "Sid": "EC2LessDangerousPermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:CancelSpotInstanceRequests",
               "ec2:DescribeAccountAttributes",
               "ec2:DescribeAddresses",
               "ec2:DescribeAvailabilityZones",
               "ec2:DescribeImages",
               "ec2:DescribeInstanceStatus",
               "ec2:DescribeInstances",
               "ec2:DescribeKeyPairs",
               "ec2:DescribePlacementGroups",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeSnapshots",
               "ec2:DescribeSpotInstanceRequests",
               "ec2:DescribeSpotPriceHistory",
               "ec2:DescribeTags",
               "ec2:DescribeVolumeStatus",
               "ec2:DescribeVolumes",
               "ec2:CreateSnapshot",
               "ec2:CreateTags",
               "ec2:DescribeClassicLinkInstances",
               "ec2:DescribeInstanceAttribute",
               "ec2:RegisterImage",
               "ec2:DescribeRegions",
               "ec2:DescribeVpcs",
               "ec2:RequestSpotInstances",
               "ec2:CreatePlacementGroup",
               "ec2:DescribeInternetGateways",
               "ec2:DescribeRouteTables",
               "ec2:DescribeSubnets",
               "ec2:ModifyInstanceAttribute"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "EC2MoreDangerousPermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:GetConsoleOutput",
               "ec2:AllocateAddress",
               "ec2:AssociateAddress",
               "ec2:DisassociateAddress",
               "ec2:ReleaseAddress"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "AllowInstanceActions",
           "Effect": "Allow",
           "Action": [
               "ec2:StartInstances",
               "ec2:RebootInstances",
               "ec2:StopInstances",
               "ec2:TerminateInstances"
           ],
           "Resource": [
               "*"
           ]
       },
       {
           "Sid": "EC2RunInstances",
           "Effect": "Allow",
           "Action": [
               "ec2:RunInstances"
           ],
           "Resource": [
               "arn:aws:ec2:*:*:instance/*"
           ]
       },
       {
           "Sid": "RemainingRunInstancePermissions",
           "Effect": "Allow",
           "Action": [
               "ec2:RunInstances"
           ],
           "Resource": [
               "arn:aws:ec2:*:*:volume/*",
               "arn:aws:ec2:*::image/ami-*",
               "arn:aws:ec2:*:*:subnet/*",
               "arn:aws:ec2:*:*:network-interface/*",
               "arn:aws:ec2:*:*:key-pair/*",
               "arn:aws:ec2:*:*:security-group/*"
           ]
       },
       {
           "Sid": "S3Permissions1",
           "Effect": "Allow",
           "Action": [
               "s3:GetBucketLocation",
               "s3:ListAllMyBuckets"
           ],
           "Resource": "arn:aws:s3:::*"
       },
       {
           "Sid": "S3Permissions2",
           "Effect": "Allow",
           "Action": [
               "s3:CreateBucket",
               "s3:DeleteBucket",
               "s3:GetObject",
               "s3:ListBucket",
               "s3:PutObject"
           ],
           "Resource": [
               "arn:aws:s3:::*"
           ]
       },
       {
           "Sid": "EBS",
           "Effect": "Allow",
           "Action": [
               "ec2:AttachVolume",
               "ec2:CreateVolume",
               "ec2:DeleteVolume",
               "ec2:DetachVolume"
           ],
           "Resource": [
               "*"
           ]
       }
   ]
}