Add IAM policy examples NodeAttestor(server) "aws_iid" and NodeResolv…

…er "aws_iid" Signed-off-by: Ryuma Yoshida <[email protected]>
S-YOU · Apr 24, 2019 · d885aec · d885aec
1 parent f1414f1
commit d885aec
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/doc/plugin_server_nodeattestor_aws_iid.md b/doc/plugin_server_nodeattestor_aws_iid.md
@@ -16,6 +16,22 @@ attested by the aws_iid attestor will be issued a SPIFFE ID like
 
 The user or role identified by the credentials must have permissions for `ec2:DescribeInstances`.
 
+The following is an example for a IAM policy needed to get instance's info from AWS.
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "VisualEditor0",
+ "Effect": "Allow",
+ "Action": "ec2:DescribeInstances",
+ "Resource": "*"
+ }
+ ]
+}
+```
+
 For more information on security credentials, see https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html.
 
 A sample configuration:

diff --git a/doc/plugin_server_noderesolver_aws_iid.md b/doc/plugin_server_noderesolver_aws_iid.md
@@ -26,6 +26,25 @@ of selectors.
 The user or role identified by the credentials must have permissions for
 `ec2:DescribeInstances` and `iam:GetInstanceProfile`.
 
+The following is an example for a IAM policy needed to get instance's info from AWS.
+
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "VisualEditor0",
+ "Effect": "Allow",
+ "Action": [
+ "ec2:DescribeInstances",
+ "iam:GetInstanceProfile"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
+```
+
 For more information on security credentials, see https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html.
 
 A sample configuration: