ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Prerequisites
  2. Required IAM Permissions

Central Account

The ConsoleMe service needs its own user or role. Note that ConsoleMe has a lot of permissions. You should ensure that its privileges cannot be used outside of ConsoleMe, except by authorized administrators (Likely, you).

You can call this new role "ConsoleMeInstanceProfile". It will also need to assume whichever roles you want to allow it to assume in your environment. Here is a full-fledged policy you can use when deploying to production. For now, scoping down assume role rights for testing should be sufficient. Create an inline policy for your role with the following permissions if you never want to have to think about it again:

Replace arn:aws:iam::1243456789012:role/consolemeInstanceProfile in the Assume Role Trust Policy with your ConsoleMe service role ARN.

{
  "Statement": [
    {
      "Action": [
        "access-analyzer:*",
        "cloudtrail:*",
        "cloudwatch:*",
        "config:SelectResourceConfig",
        "config:SelectAggregateResourceConfig",
        "dynamodb:batchgetitem",
        "dynamodb:batchwriteitem",
        "dynamodb:deleteitem",
        "dynamodb:describe*",
        "dynamodb:getitem",
        "dynamodb:getrecords",
        "dynamodb:getsharditerator",
        "dynamodb:putitem",
        "dynamodb:query",
        "dynamodb:scan",
        "dynamodb:updateitem",
        "dynamodb:CreateTable",
        "dynamodb:UpdateTimeToLive",
        "sns:createplatformapplication",
        "sns:createplatformendpoint",
        "sns:deleteendpoint",
        "sns:deleteplatformapplication",
        "sns:getendpointattributes",
        "sns:getplatformapplicationattributes",
        "sns:listendpointsbyplatformapplication",
        "sns:publish",
        "sns:setendpointattributes",
        "sns:setplatformapplicationattributes",
        "sts:assumerole"
      ],
      "Effect": "Allow",
      "Resource": ["*"]
    },
    {
      "Action": ["ses:sendemail", "ses:sendrawemail"],
      "Condition": {
        "StringLike": {
          "ses:FromAddress": ["email_address_here@example.com"]
        }
      },
      "Effect": "Allow",
      "Resource": "arn:aws:ses:*:123456789:identity/your_identity.example.com"
    },
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "config:BatchGet*",
        "config:List*",
        "config:Select*",
        "ec2:DescribeSubnets",
        "ec2:describevpcendpoints",
        "ec2:DescribeVpcs",
        "iam:GetAccountAuthorizationDetails",
        "iam:ListAccountAliases",
        "iam:ListAttachedRolePolicies",
        "ec2:describeregions",
        "s3:GetBucketPolicy",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "sns:GetTopicAttributes",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sns:SetTopicAttributes",
        "sns:TagResource",
        "sns:UnTagResource",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:ListQueues",
        "sqs:ListQueueTags",
        "sqs:SetQueueAttributes",
        "sqs:TagQueue",
        "sqs:UntagQueue"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ],
  "Version": "2012-10-17"
}

You must also allow ConsoleMe to read/write to the bucket you've decided to use to cache data. Please replace BUCKET_NAME below with the name of the bucket you will cache data in. This bucket must be in the same account as this role, and it must also be defined in your ConsoleMe configuration under the consoleme_s3_bucket configuration key. You can add this as a new inline policy on your ConsoleMeInstanceProfile role, or append the statement to an existing inline policy.

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

Configure the trust policy with the following settings (Yes, you'll want to give ConsoleMeInstanceProfile the ability to assume itself):

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
    },
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::1243456789012:role/consolemeInstanceProfile"
      }
    }
  ],
  "Version": "2012-10-17"
}
PreviousRequired IAM PermissionsNextSpoke Accounts

Last updated 3 years ago

Was this helpful?