AWS

Before setting up the Control Plane and Data Plane, please ensure that you have these AWS permissions. Otherwise, you will not be able to complete your setup without errors. These are the IAM permissions that need to be attached to your AWS role/user:

Required Permissions on AWS

Prop	Type	Default
`autoscaling:{..}`	`AWS Service`	-
`cloudformation:{..}`	`AWS Service`	-
`ec2:{..}`	`AWS Service`	-
`eks:{..}`	`AWS Service`	-
`elasticfilesystem:{..}`	`AWS Service`	-
`events:{..}`	`AWS Service`	-
`iam:{..}`	`AWS Service`	-
`kms:{..}`	`AWS Service`	-
`logs:{..}`	`AWS Service`	-
`sqs:{..}`	`AWS Service`	-

Validating AWS Permissions (and updating Policies)

If you want to skip the first 3 steps, copy this policy.json and continue from step 4.

The validation script requires your IAM user/role to have permissions for the following actions:

[
  "iam:GetPolicyVersion",
  "iam:GetRole",
  "iam:GetRolePolicy", 
  "iam:GetUserPolicy", 
  "iam:ListAttachedRolePolicies",
  "iam:ListAttachedUserPolicies", 
  "iam:ListPolicyVersions",
  "iam:ListRolePolicies", 
  "iam:ListUserPolicies"
]

Note: You can also copy this policy.json to skip the first four steps.

Validating Permissions

Clone this repository to get the script:

git clone https://github.com/devzero-inc/self-hosted-tf.git
cd self-hosted-tf

Configure your AWS CLI with your IAM User:

aws configure

For example, Configure AWS

To use your IAM Role to configure the AWS CLI, check out Using an IAM role in the AWS CLI.

Run the script and choose the DevZero component that you're trying to deploy (Control or Data Plane):

./examples/permissions.sh

You should see something like:

% ./examples/permissions.sh
✅ AWS CLI Present
✅ Caller Identity Retrieved
  >>> Detected assumed role. Resolving permissions for source role: AWSReservedSSO_AWSAdministratorAccess_940ce1d9f39db1de
✅ Retrieved AWS IAM role name
Please select the deployment type (Control Plane - 1, Data Plane - 2): 1
✅ Selected: Control Plane

Set VERBOSE mode to see more output:

VERBOSE=true ./examples/permissions.sh

The script will:

fetch all the policies/actions that are currently attached to your IAM role/user,

ensure that your IAM role/user has all the necessary permissions,

generate a policy.json iff you are missing some permissions.

If the script has generated a policy.json for you, you don't have enough permissions to proceed with the deployment. Follow the steps outlined in the next section to attach this policy.json to your IAM role/user before rerunning the script to validate.

% ./examples/permissions.sh
✅ AWS CLI Present
✅ Caller Identity Retrieved
  >>> Detected assumed role. Resolving permissions for source role: AWSReservedSSO_AWSAdministratorAccess_<something>
✅ Retrieved AWS IAM role name
Please select the deployment type (Control Plane - 1, Data Plane - 2): 1
✅ Selected: Control Plane
🚧 Fetching attached policies for role/user: AWSReservedSSO_AWSAdministratorAccess_<something>
✅ Successfully retrieved attached policies
🚧 Fetching inline policies for role/user: AWSReservedSSO_AWSAdministratorAccess_<something>
😎 No inline policies found
✅ Successfully retrieved list of permitted action
🚧 Verifying if there are any missing permissions
✅ Full admin access detected (*), all permissions are granted

Create Policy

Go to the IAM Policies in AWS and click on 'Create Policy'. Select the JSON tab in Policy editor and paste the custom policy.json or the complete policy.json from here.

aws-create-policy