Minimal set of privileges to run Flight template

Hello, as AWS account holder, if I want to allow a user to run a flight template through Cloud Formation, what would be the minimal set of privileges? I created an account which can do that but I ended up with all sorts of things that I had to add. Thank you for sharing your wisdom! : )

Hi @ink,

Flight Compute Solo needs to create a comprehensive set of resources and, as you’ve discovered, you’ll need to add actions to create and manipulate many types of resource to allow a non-root or administrative user to launch (and subsequently terminate!) a cluster.

For reference, here is the list of actions that are needed within an IAM policy to allow a user to launch a Flight Compute cluster using the AWS CLI tool:

autoscaling:CreateAutoScalingGroup
autoscaling:CreateLaunchConfiguration
autoscaling:DeleteAutoScalingGroup
autoscaling:DeleteLaunchConfiguration
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:UpdateAutoScalingGroup
cloudformation:CreateStack
cloudformation:DeleteStack
ec2:AssociateDhcpOptions
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:CreateDhcpOptions
ec2:CreateInternetGateway
ec2:CreateNetworkAcl
ec2:CreateNetworkAclEntry
ec2:CreatePlacementGroup
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVpc
ec2:DeleteDhcpOptions
ec2:DeleteInternetGateway
ec2:DeleteNetworkAcl
ec2:DeleteNetworkAclEntry
ec2:DeletePlacementGroup
ec2:DeleteRoute
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
ec2:DeleteSubnet
ec2:DeleteVpc
ec2:DescribeDhcpOptions
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeNetworkAcls
ec2:DescribePlacementGroups
ec2:DescribeRouteTables
ec2:DescribeRoutes
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DetachInternetGateway
ec2:DisassociateRouteTable
ec2:ModifyInstanceAttribute
ec2:ModifyVpcAttribute
ec2:ReplaceNetworkAclAssociation
ec2:RevokeSecurityGroupEgress
ec2:RunInstances
ec2:TerminateInstances
iam:AddRoleToInstanceProfile
iam:CreateInstanceProfile
iam:CreateRole
iam:DeleteInstanceProfile
iam:DeleteRole
iam:DeleteRolePolicy
iam:PassRole
iam:PutRolePolicy
iam:RemoveRoleFromInstanceProfile
s3:GetObject

Note that the majority of these actions do not support resource-level permissions so may allow the user to create more resources than you intend! We’d recommend that you refer to the AWS IAM documentation for more details.

Thank you and yes, I’m aware of that. I’m thinking about some sort of proxy mechanism using which a user can trigger an action through e.g. a lambda which will have all the required privileges.

I had to supplement your list with a few actions in order to be able to create a stack but it works essentially. I was even able to create my fist lambda which creates a stack.
However the deletion is not clean and since I can delete cleanly with my other account the reason must be with the set of privileges but I can’t figure out what exactly. Any ideas?

The following resource(s) failed to delete: [PlacementGroup, FlightComputeGroup, ComputeGroupConfig].

It looks like

autoscaling:DescribeScalingActivities

was missing for clean deletion. I’ve also added these but they may be needed just for the console access

cloudformation:ListStacks
cloudformation:GetTemplateSummary
cloudformation:DescribeStackEvents
SNS:ListTopics