To set up your account without CloudFormation you need to create both the IAM policy and the cross-account IAM role.
To set the permissions Sprinters will have, you’ll need an IAM policy.
Create the IAM policy in the AWS Console
To do so, paste this JSON policy document in the policy editor:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Regular", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeSpotPriceHistory" ], "Resource": "*" }, { "Sid": "RestrictCreateTagsToRunInstances", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "*", "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } }, { "Sid": "RestrictToSprintersResources", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:ModifyVolume", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/sprinters:sprinters": "true" } } } ] }
Assign it the sprinters-policy
name and create it. Your IAM policy is now fully set up.
To establish trust between Sprinters and your AWS account, you’ll need a cross-account IAM role.
Create the cross-account IAM role in the AWS Console
Your role will need a custom trust policy that references your GitHub Account. Adjust the one below and paste it in the trust policy editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "381491863103" },
"Action": "sts:AssumeRole",
"Condition": { "StringEquals": { "sts:ExternalId": "your-github-account-name" } }
}
]
}
Assign the role the sprinters-role
name and ensure it uses the sprinters-policy
permission policy. Your cross-account IAM role is now fully set up.