AWS IAM Policy
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Overview
When Cloud Manager deploys and manages MongoDB instances on AWS infrastructure, Cloud Manager accesses AWS by way of a user's access keys. The user associated with the keys must have an attached IAM policy with the following permissions. For information on attaching the policy, see Provision Servers.
For an overview of AWS IAM policies, see Amazon's IAM policy documentation.
Example Policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:*AccessKey*", "iam:GetUser"], "Resource": ["*"] }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateKeyPair", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteKeyPair", "ec2:DeleteSecurityGroup", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DescribeVolumeAttribute", "ec2:ImportKeyPair", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "ec2:TerminateInstances" ], "Resource": [ "*" ] } ] }
Policy Settings
The following table explains why each setting is required. Cloud Manager uses
permissions provided by the customer only for CRUD actions on the resources
Cloud Manager creates for the customer. Additionally, Cloud Manager performs only Read
actions for resources the customer selects (VPC, subnet, etc) and for
connected resources (network ACL, route table, etc).
Setting | Allows Cloud Manager to: |
---|---|
ec2:AttachVolume | Add an EBS volume to a provisioned server. |
ec2:AuthorizeSecurityGroupIngress | Manage the security group rules Cloud Manager needs to ensure a valid networking state. |
ec2:CreateKeyPair | SSH into a machine in order to provision it. |
ec2:CreateSecurityGroup | Auto-generate security groups in the provisioning wizard. |
ec2:CreateTags | Tag the EC2 instances. |
ec2:CreateVolume | Create the EBS volumes. |
ec2:DeleteKeyPair | Remove the key pair Cloud Manager created. |
ec2:DeleteSecurityGroup | Remove the security group Cloud Manager created. |
ec2:DeleteTags | Remove tags Cloud Manager created. |
ec2:DeleteVolume | Removes resources Cloud Manager created. |
ec2:DescribeAccountAttributes | Determine if the AWS account has access to EC2-Classic. |
ec2:DescribeAvailabilityZones | Display the availability zones users can select when they provision new servers. |
ec2:DescribeInstanceAttribute | Access attributes of an EC2 instance. |
ec2:DescribeInstanceStatus | Access the status of an EC2 instance. |
ec2:DescribeInstances | Access available EC2 instances. |
ec2:DescribeKeyPairs | Validate the key pair Cloud Manager created. |
ec2:DescribeRegions | Display the regions users can select when they provision new servers. |
ec2:DescribeSecurityGroups | Display the security groups users can select when they provision new servers. |
ec2:DescribeSubnets | Display the subnets users can select when they provision new servers. |
ec2:DescribeTags | List tags for instances associated with Cloud Manager. |
ec2:DescribeVpcs | Display the VPCs users can select when they provision new servers. |
ec2:DescribeVpcAttribute | Access VPC attributes. |
ec2:DescribeVolumeStatus | Validate the readiness of an attached or detached volume. |
ec2:DescribeVolumes | Ensure your MongoDB server has the correct volumes attached. |
ec2:DescribeVolumeAttribute | Access information on EBS volumes. |
ec2:ImportKeyPair | Associate a key pair with an EC2 instance. |
ec2:RunInstances | Run the EC2 instance. |
ec2:StartInstances | Start the EC2 instance. |
ec2:StopInstances | Stop the EC2 instance. |
ec2:RebootInstances | Reboot the EC2 instance. |
ec2:TerminateInstances | Terminate the EC2 instance. |