1. Answers
  2. Attaching EC2 DescribeInstances Permission to an IAM Role

How Do I Attach EC2 DescribeInstances Permission to an IAM Role?

Introduction

Managing permissions for AWS resources is a crucial aspect of cloud security and operations. When working with Amazon EC2 instances, you may need to grant specific permissions to an IAM role. One such permission is DescribeInstances, which allows the role to retrieve details about EC2 instances. This guide will walk you through the process of attaching the EC2 DescribeInstances permission to an IAM role using Pulumi, a modern infrastructure as code platform.

Step-by-Step Explanation

To attach the EC2 DescribeInstances permission to an IAM role using Pulumi, follow these steps:

  1. Create an IAM Role: Begin by creating an IAM role with a trust policy that allows EC2 to assume the role. This is achieved by specifying the sts:AssumeRole action for the EC2 service.

  2. Define the Policy: Next, define a policy that includes the ec2:DescribeInstances action. This policy grants the necessary permission to describe EC2 instances.

  3. Attach the Policy: Attach the defined policy to the IAM role using a RolePolicyAttachment. This step ensures that the role has the permissions specified in the policy.

  4. Export the Role ARN: Finally, export the ARN of the role. This is useful for referencing the role in other parts of your infrastructure or applications.

Here is the TypeScript code that implements these steps:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM Role
const ec2Role = new aws.iam.Role("ec2Role", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Principal: {
                    Service: "ec2.amazonaws.com",
                },
                Effect: "Allow",
                Sid: "",
            },
        ],
    }),
});

// Define the policy that allows DescribeInstances
const describeInstancesPolicy = new aws.iam.Policy("describeInstancesPolicy", {
    description: "A policy that allows EC2 DescribeInstances",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "ec2:DescribeInstances",
                Effect: "Allow",
                Resource: "*",
            },
        ],
    }),
});

// Attach the policy to the role
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("rolePolicyAttachment", {
    role: ec2Role.name,
    policyArn: describeInstancesPolicy.arn,
});

// Export the role ARN
export const roleArn = ec2Role.arn;

Key Points

  • IAM Role Creation: The role includes a trust policy for EC2.
  • Policy Definition: The policy grants DescribeInstances permission.
  • Policy Attachment: The policy is attached to the role, linking permissions to the role.
  • Role Export: The ARN of the role is exported for easy reference.

Conclusion

By following these steps, you can successfully attach the EC2 DescribeInstances permission to an IAM role using Pulumi. This setup ensures that your IAM role is equipped with the necessary permissions to interact with EC2 instances, allowing for effective management and operations within your AWS environment.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up