AWS Permissions for Elastic Bamboo

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

While providing AWS_ACCESS_KEY and AWS_SECRET_KEY of a master account is the easiest way to configure Elastic agents and let Bamboo create EC2 instances along with other resources in AWS, it may make more sense to create a dedicated IAM user with a set of fixed granular permissions. This KB will give an overview of must-have permissions for IAM users.

Environment

All Bamboo versions that support Elastic Agents

Solution

While the below solution has been verified by a number of users, it is possible that there are missing permissions for some edge cases. Reach out to Atlassian support if the suggested set of permissions does not let Bamboo manage AWS elastic agents.

Rather than using the root user access key and secret, create a new IAM user with the following permissions:

Please note that the IAM user permission below may not meet your organization's security standards. Feel free to modify it as required.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CancelSpotInstanceRequests",
        "ec2:CreateKeyPair",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeAddresses",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeImages",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSpotInstanceRequests",
        "ec2:DescribeSpotPriceHistory",
        "ec2:DescribeSubnets",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcs",
        "ec2:GetConsoleOutput",
        "ec2:ModifyInstanceAttribute",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "s3:GetBucketLocation",
        "s3:ListBucket"
   ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Looking for more restricted permissions?

If you would like to restrict the permissions that IAM users can have, please amend them according to your need. The example below allows Bamboo to terminate only the instances that are Resource tagged as 'bam::*'

More restricted permission sample 
{
"Action": “ec2:TerminateInstances",
"Effect": “Allow",
"Resource": "*",
"Condition": {
"StringLike":
 { "aws:ResourceTag/Name": "bam::*" }
}

Instance profile

If you specify a custom Instance Profile on your Elastic Image configuration, you will have to add an additional iam:PassRole permission to allow instance profiles to be used. More information can be found here:


Last modified on Feb 15, 2023

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.