AWS Permissions for Elastic Bamboo
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
While providing AWS_ACCESS_KEY and AWS_SECRET_KEY of a master account is the easiest way to configure Elastic agents and let Bamboo create EC2 instances along with other resources in AWS, it may make more sense to create a dedicated IAM user with a set of fixed granular permissions. This KB will give an overview of must-have permissions for IAM users.
Environment
All Bamboo versions that support Elastic Agents
Solution
While the below solution has been verified by a number of users, it is possible that there are missing permissions for some edge cases. Reach out to Atlassian support if the suggested set of permissions does not let Bamboo manage AWS elastic agents.
Rather than using the root user access key and secret, create a new IAM user with the following permissions:
Please note that the IAM user permission below may not meet your organization's security standards. Feel free to modify it as required.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:TerminateInstances",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "*"
}
]
}Looking for more restricted permissions?
If you would like to restrict the permissions that IAM users can have, please amend them according to your needs. The example below allows Bamboo to terminate only the instances that are Resource tagged as 'bam::*'
More restricted permission sample
1
2
3
4
5
6
7
8
{
"Action": “ec2:TerminateInstances",
"Effect": “Allow",
"Resource": "*",
"Condition": {
"StringLike":
{ "aws:ResourceTag/Name": "bam::*" }
}Instance profile
If you specify a custom Instance Profile on your Elastic Image configuration, you will have to add an additional iam:PassRole permission to allow instance profiles to be used. More information can be found here:
Was this helpful?