AWSThinkboxAWSPortalWorkerPolicy

You can attach the AWSThinkboxAWSPortalWorkerPolicy policy to your IAM identities.

This policy grants operative permissions that allow Deadline Workers in AWS Portal to have the access to S3 Buckets, CloudWatch Logs, and SQS queues that it needs. This includes performing upload and download actions on the S3 Cache Bucket, streaming Thinkbox logs to CloudWatch, and reporting information to the Resource Tracker SQS queue.

Permissions details

This policy includes the following permissions.

  • ec2 - Used by Deadline Worker to query its tag in order to determine whether it’s tracked by the Resource Tracker. These permissions are also used to self terminate when the Deadline Worker is idle.

  • s3 - Used by Deadline Worker to retrieve a CA certificate, which will be used to establish a TLS connection with the AWS Portal Gateway. Also used to upload/download files to/from the AWS Portal S3 Cache bucket.

  • logs - Used by Deadline Worker to stream Thinkbox created logs to CloudWatch. Additionally, there are permissions to create the necessary log groups/streams if they don’t already exist.

  • sqs - Used by Deadline Worker to report its health information to the Resource Tracker SQS queue.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ARN": "${ec2:SourceInstanceARN}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-portal-cache*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::stack*/gateway_certs/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:*:*:log-group:/thinkbox*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:SendMessage",
                "sqs:GetQueueUrl"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:DeadlineAWS*"
            ]
        }
    ]
}