IAM Roles for OSDU
Fulfillment Role
The Fulfillment Role is required in your account to fulfill your Preview Deployment. It has limited but powerful permissions. Among other things, it creates five other (persistent) roles that are required for your Preview Deployment to do its day-to-day business.
- OSDUR2DynamodbTableScalingRole-uniqueinstanceID
- OSDUR2EntitlementsLambdaRole-uniqueinstanceID
- OSDUR2EcsTaskExecutionRole-uniqueinstanceID
- OSDUR2Pipeline-uniqueinstanceID
- OSDUR2EcsAutoScalingRole-uniqueinstanceID
OSDUR2DynamodbTableScalingRole-uniqueinstanceID
CloudWatch
DescribeAlarms
GetMetricStatistics
DeleteAlarms
PutMetricAlarm
SetAlarmState
DynamoDB
DescribeTable
UpdateTable
This role allows DynamoDB to alter throughput in response to CloudWatch Alarms. This role has limited permissions for CloudWatch and DynamoDB. The CloudWatch permissions are related to Alarms. Say more? The role also has limited permissions for DynamoDB; 'DescribeTable' allows to read information about DDB tables. Similarly, the 'UpdateTable' permission allows modification of table settings related to DynamoDB Streams, global secondary indexes and throughput. All permissions are applicable to all resources without restriction, applying to all CloudWatch alarms and all DynamoDB tables.
OSDUR2EntitlementsLambdaRole-uniqueinstanceID
AmazonCognitoPowerUser
Certificate Manager Full: List
Cognito Identity Full access
Cognito Sync Full access
Cognito User Pools Full access
IAM Limited: List, Read, Write
Kinesis Limited: List
Lambda Limited: List, Read
Pinpoint Limited: List
SES Limited: List, Read
SNS Limited: List
CloudWatch Logs
Full access
DynamoDB
Full access
This role has FullAccess permissions for CloudWatchLogs and DynamoDB. It further has AmazonCognitoPowerUser permission which includes permissions for several other AWS services. The resource scope for each of the policies in this role is unconstrained. This means the role will permit actions by each of the services noted above upon both resources provisioned as part of your Preview Deployment as well as other resources that may exist within your account.
OSDUR2EcsTaskExecutionRole-uniqueinstanceID
OSDUR2EcsTaskExecutionPolicy-uniqueinstanceID
Cloudwatch Logs
CreateLogStream
PutLogEvents
Elastic Container Registry
BatchCheckLayerAvailability
BatchGetImage
GetAuthorizationToken
GetDownloadUrlForLayer
This role allows your Preview Deployment to pull container images from Elastic Container Registry (ECR) and log relevant events to Cloudwatch. This role has limited permissions for CloudWatchLogs and ECR. CloudWatchLogs permissions are limited to creation of log streams for existing log groups and the ability to write logs. ECR permissions: GetAuthorizationToken allows to pull/push container images from/to any ECR repository. The other permissions are required for pulling images.
OSDUR2EcsAutoScalingRole-uniqueinstanceID
Application Auto Scaling Full access
CloudWatch Limited: Read, Write
Elastic Container Service Limited: Read, Write
This role allows auto-scaling of container resources. It has FullAccess to Application Auto Scaling and limited permissions for Elastic Container Service (ECS) and Cloudwatch.
OSDUR2Pipeline-uniqueinstanceID
API Gateway
Application Auto Scaling
Certificate Manager
CloudFormation
CloudFront
CloudWatch
CloudWatch Logs
CodeBuild
CodePipeline
Cognito User Pools
DynamoDB
EC2
Elastic Container Service
ElastiCache
Elasticsearch Service
ELB
ELB v2
IAM Limited: Read, Write
KMS
Lambda
Route 53
S3
SNS
SQS
STS
Systems Manager
This role has broad permissions required for AWS Pipeline service to deploy numerous required resources. This role has FullAcccess permission to all the AWS services listed above except IAM. IAM permissions are tightly constrained, only GetRole and PassRole are allowed. Again, these permissions apply to all resources in the account.