AWSThinkboxDeadlineSpotEventPluginAdminPolicy¶
You can attach the AWSThinkboxDeadlineSpotEventPluginAdminPolicy policy to your IAM identities.
This policy grants administrative permissions that allow Deadline to operate Spot Event Plugin. This includes permission to request, modify, and cancel a spot fleet, as well as limited PassRole permission.
Permissions details¶
This policy includes the following permissions.
ec2- Used to create, delete, update, and get the current state of a Spot Fleet Request. The plugin also calls TerminateInstances to enforce a user-configured hard cap on the number of instances and RunInstances to see if the user is allowed to launch instances in the requested Spot Fleet. The plugin also use CreateTags to tag the launched instances so that they can be tracked by the Resource Tracker.iam- Used to enable Spot-related services to create Service-Linked Roles that they need to operate. These permissions are also used to improve the error messages by logging Role, User and Instance Profile. The PassRole permission is required to pass the default IAM fleet Role (aws-ec2-spot-fleet-tagging-role) used by the Spot Fleet service.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CancelSpotFleetRequests",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeSpotFleetRequests",
"ec2:ModifySpotFleetRequest",
"ec2:RequestSpotFleet"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/aws:ec2spot:fleet-request-id": "*"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/*"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"spot.amazonaws.com",
"spotfleet.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role",
"arn:aws:iam::*:role/DeadlineSpot*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/aws-ec2-spot-fleet-tagging-role",
"arn:aws:iam::*:role/DeadlineSpot*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}
