When integrating with AWS, one or two managed roles are created in your account to give Upsolver the required access.
There are three role types. The role types in your account depend on the type of integration.
This is the role that Upsolver's servers running in your VPC use to access the data in your account. The permissions given to this role are:
{
"Statement": [
{
"Action": [
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:DescribeSpotPriceHistory",
"cloudwatch:PutMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarms",
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListRoles",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:ListAttachedRolePolicies",
"iam:ListAccountAliases",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sts:DecodeAuthorizationMessage"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeAddresses",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:ReleaseAddress",
"ec2:DisassociateAddress",
"ec2:RequestSpotInstances",
"ec2:CancelSpotInstanceRequests"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"aws:RequestTag/Name": "*upsolver*"
}
},
"Action": [
"ec2:CreateVolume",
"ec2:RunInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "*upsolver*"
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:RunInstances"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*::image/*"
],
"Effect": "Allow"
}
]
}
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::428641199958:role/upsolver-api"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<get_from_upsolver>"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::922761411349:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<get_from_upsolver>"
}
}
}
]
}
{
"Statement": [
{
"Sid": "upsolverBucketAccess",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::us-east-1-upsolver-UPSOLVER_ORG_ID",
"arn:aws:s3:::us-east-1-upsolver-UPSOLVER_ORG_ID/*"
],
"Effect": "Allow"
},
{
"Sid": "listStreams",
"Action": [
"kinesis:ListStreams"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "upsolverManagedStream",
"Action": [
"kinesis:*"
],
"Resource": [
"arn:aws:kinesis:*:*:stream/upsolver_*"
],
"Effect": "Allow"
},
{
"Sid": "sendScalingMetrics",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}