AWSThinkboxAWSPortalGatewayPolicy

You can attach the AWSThinkboxAWSPortalGatewayPolicy policy to your IAM identities.

This policy grants permissions that allow Gateway instance in AWS Portal to write Thinkbox-created logs to CloudWatch, perform upload and download actions on the S3 Cache bucket (for backwards compatibility purposes), read the Resource Tracker Fleet Health table, get UBL and TLS certificates from the stack bucket, and get the password for the RCS TLS cert if necessary.

Permissions details

This policy includes the following permissions.

  • dynamodb - Used by Deadline Pulse running on the Gateway instance to read the Resource Tracker’s DeadlineFleetHealth DynamoDB table. This is needed for Pulse to report fleet health back to on-premise.

  • logs - Used by Gateway instance to stream Thinkbox-created logs to CloudWatch. Additionally, there are permissions to create the necessary log groups/streams if they don’t already exist.

  • s3 - Used by Gateway instance to get Usage Based Licensing (UBL) and Deadline Client RCS certificates from S3. Additionally, there are permissions to upload the CA certificate used to sign its server certificate, which Workers will use to authenticate the Gateway.

  • secretsmanager - Used by the Gateway instance to fetch the passphrase for the RCS TLS certificate, if it has one.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/thinkbox*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-portal-cache*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "dynamodb:Scan",
            "Resource": [
                "arn:aws:dynamodb:*:*:table/DeadlineFleetHealth*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::stack*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::stack*/gateway_certs/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:*:secret:rcs-tls-pw-stack*"
            ]
        }
    ]
}