File: docker-for-aws/iam-permissions.md, CC @gbarr01
/cc @FrenchBen
I solved it.
The linked document (https://docs.docker.com/docker-for-aws/iam-permissions/) is what is supposed to to be the ideal policy. Error was "Cannot exceed quota for PolicySize: 6144" - which I've seen other issues about.
I fixed it by consolidating the policy, which fully resolves the issue. It's just too long. I haven't tried compressing, but that probably doesn't help?
Final, working solution (as modified from the docker resource), to those who surf:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1481924239005",
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924344000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924651000",
"Effect": "Allow",
"Action": [
"autoscaling:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924759004",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924854000",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924989003",
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924989002",
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924989001",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1487169681000",
"Effect": "Allow",
"Action": [
"elasticfilesystem:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1487169681009",
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
}
]
}
TLDR: I added wildcard selectors to each "action" of unique resource, instead of listing all individual permissions individually (resulting in too long of a file)
For those using the policy from @joeyslack above. Please be careful, as the policy gives full, unrestricted access to all services due to the last, and third to last blocks:
{
"Sid": "Stmt1487169681009",
"Effect": "Allow",
"Action": [
"*" // No colon = all services
],
"Resource": [
"*"
]
}
You can change these to elasticloadbalancing:* and lambda:* for a slightly more restricted policy that will work with Docker For AWS
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1481924239005",
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924344000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924651000",
"Effect": "Allow",
"Action": [
"autoscaling:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924759004",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924854000",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924989003",
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924989002",
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1481924989001",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1487169681000",
"Effect": "Allow",
"Action": [
"elasticfilesystem:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1487169681009",
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"*"
]
}
]
}
Closing this ticket due to its age, and the impending refactor. If you think this is in error, feel free to reopen. Thanks!
For those using the policy from @joeyslack above. Please be careful, as the policy gives full, unrestricted access to all services due to the last, and third to last blocks:
{ "Sid": "Stmt1487169681009", "Effect": "Allow", "Action": [ "*" // No colon = all services ], "Resource": [ "*" ] }You can change these to
elasticloadbalancing:*andlambda:*for a slightly more restricted policy that will work with Docker For AWS{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1481924239005", "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924344000", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924651000", "Effect": "Allow", "Action": [ "autoscaling:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924759004", "Effect": "Allow", "Action": [ "dynamodb:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924854000", "Effect": "Allow", "Action": [ "logs:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924989003", "Effect": "Allow", "Action": [ "sqs:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924989002", "Effect": "Allow", "Action": [ "iam:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1481924989001", "Effect": "Allow", "Action": [ "elasticloadbalancing:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1487169681000", "Effect": "Allow", "Action": [ "elasticfilesystem:*" ], "Resource": [ "*" ] }, { "Sid": "Stmt1487169681009", "Effect": "Allow", "Action": [ "lambda:*" ], "Resource": [ "*" ] } ] }
I need a policy in which all services (174 services)with only Read/List access.
Most helpful comment
For those using the policy from @joeyslack above. Please be careful, as the policy gives full, unrestricted access to all services due to the last, and third to last blocks:
You can change these to
elasticloadbalancing:*andlambda:*for a slightly more restricted policy that will work with Docker For AWS