...
- Create a new role as in Creating Custom Roles to use With Shibboleth.
- Name the role "shib-ec2control".
- Create the corresponding AD group and add target users as members. (As described in the link, this step needs to be completed by the Cloud Team.)
- Add the following inline policy to the new role:
Custom JSON for the policy:
Code Block { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:StartInstances", "ec2:StopInstances" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/TargetUser": "${aws:userid}" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Deny", "Resource": "*" }, { "Effect" : "Allow", "Action" : "ec2:Describe*", "Resource" : "*" }, ] }
- Determine the RoleId (aka PrincipalId) of the role.
- This is hard to find in the AWS Console. Use the AWS CLI instead:
To get just the RoleId:
Code Block aws iam get-role --role-name shib-ec2control --query "Role.RoleId" --output text
or, to see the entire description of the role:
Code Block aws iam get-role --role-name shib-ec2control
- A example RoleId "AROAJRGJOYWPGTTYSJNDS"
- This is hard to find in the AWS Console. Use the AWS CLI instead:
- Label EC2 instances with "TargetUser" tag according to which user should be allowed access to each instance. In order to allow "pea1" to stop/start an instance, give the instance the following tag:
- "TargetUser" = "AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu" The tag value should be "ROLE_ID:NETID@cornell.edu" where
- ROLE_ID is the ID of the role determined earlier.
- NETID is the Cornell netid of the user to be allowed control.
- "TargetUser" = "AROAJRGJOYWPGTTYSJNDS:pea1@cornell.edu" The tag value should be "ROLE_ID:NETID@cornell.edu" where
...