 |
 |
 |
 |
|---|
Documentation for duet software installation and running guide and the data interpretation guide has moved. Read the latest version of the documentation now.
Table of Contents
Overview
When using the biomodal-cloud-utils bootstrapping tool in an AWS environment, a policy is generated that enables you to run duet pipelines using AWS Batch.
The policy generated during the bootstrapping process will give you the minimum amount of permissions required to run the duet pipeline in your AWS environment. You will also need to ensure you have the required permissions to create and attach new policies during the bootstrapping process.
Pre-requisites
In order to run the biomodal-cloud-utils utility you must be authenticated against an existing AWS account with adequate permissions. The example json policy document below outlines the basic actions required to carry out both a bootstrap create and destroy, however we recommend an administrator carries out the bootstrapping create/destroy process to minimise potential permissions issues.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"batch:DescribeComputeEnvironments",
"batch:DescribeJobQueues",
"ec2:AssociateAddress",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"batch:CreateComputeEnvironment",
"batch:CreateJobQueue",
"batch:DeleteComputeEnvironment",
"batch:UpdateComputeEnvironment"
],
"Resource": "arn:aws:batch:${Region}:${Account}:compute-environment/${ComputeEnvironmentName}"
},
{
"Effect": "Allow",
"Action": [
"batch:CreateJobQueue",
"batch:DeleteJobQueue",
"batch:UpdateJobQueue"
],
"Resource": "arn:aws:batch:${Region}:${Account}:job-queue/${JobQueueName}"
},
{
"Effect": "Allow",
"Action": "ec2:AllocateAddress",
"Resource": "arn:aws:ec2:${Region}:${Account}:elastic-ip/${AllocationId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:MonitorInstances",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:instance/${InstanceId}"
},
{
"Effect": "Allow",
"Action": "ec2:ImportKeyPair",
"Resource": "arn:aws:ec2:${Region}:${Account}:key-pair/${KeyPairName}"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:${Region}:${Account}:subnet/${SubnetId}"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:${Region}::image/${ImageId}"
},
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::${Account}:instance-profile/${InstanceProfileNameWithPath}"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::${Account}:role/${RoleNameWithPath}"
},
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "arn:aws:kms:${Region}:${Account}:key/${KeyId}"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration"
],
"Resource": "arn:aws:s3:::${BucketName}"
},
{
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "arn:aws:ssm:${Region}:${Account}:parameter/${ParameterNameWithoutLeadingSlash}"
}
]
}(back to main documentation) | (back to top)
S3 Permissions
When running through the biomodal-cloud-utils process you will be prompted to either create a new S3 bucket or provide an existing one.
If you wish to create a new bucket the bootstrap process will generate a policy with the following permissions on the bucket and its objects:
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListObjectsV2",
"s3:ListBucket",If you are providing an existing bucket url, a policy will be created with the above access to the provided bucket and its objects. Please ensure you have the correct permissions to carry out this IAM operation.
To enable access to existing buckets, please manually apply the same policies to the bucket and its objects.
(back to main documentation) | (back to top)
Other Essential Permissions
The following is an example of other essential permissions which will be generated and attached to the VM’s IAM instance profile:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:ListTagsForResource",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetLifecyclePolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:CreateRepository",
"ecr:CompleteLayerUpload",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"batch:TerminateJob",
"batch:TagResource",
"batch:SubmitJob",
"batch:RegisterJobDefinition",
"batch:ListJobs",
"batch:DescribeJobs",
"batch:DescribeJobQueues",
"batch:DescribeJobDefinitions",
"batch:DescribeComputeEnvironments"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DescribeTasks",
"ecs:DescribeContainerInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceAttribute"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
