| Access Overview / Policy Overview | |
Eucalyptus extends the IAM policy in order to meet the needs of enterprise customers.
In IAM, you cannot specify EC2 resources in a policy statement except a wildcard, “*”. So, you can't restrict a permission to specific EC2 entities. For example, you can't restrict a user to run instances on a specific image or VM type. To solve that, Eucalyptus created the EC2 resource for the policy language. The following example shows the ARN of an EC2 resource.
arn:aws:ec2::<account_id>:<resource_type>/<resource_id>
Where account id is optional.
Eucalyptus supports the following resource types for EC2:
The following example specifies permission to launch instances with only an m1.small VM type:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"2",
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource": [
"arn:aws:ec2:::vmtype/m1.small",
"arn:aws:ec2:::image/*",
"arn:aws:ec2:::securitygroup/*",
"arn:aws:ec2:::keypair/*",
"arn:aws:ec2:::availabilityzone/*",
"arn:aws:ec2:::instance/*"
]
}]
}
Eucalyptus implements the following AWS policy keys:
Eucalyptus extends the policy keys by adding the following to the lifetime of an instance:
For more information about policy keys, see the AWS documentation, IAM Policy Elements Reference.
The following example restricts an instance running time to 24 hours:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"3",
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*",
"Condition":{
“NumericEquals”:{
“ec2:KeepAlive”:”1440”
}
}
}]
}
If there are multiple ec2:KeepAlive or ec2:ExpirationTime keys that match a request, Eucalyptus chooses the longer lifetime for the instance to run.
For more use cases, such as setting up temporary permissions, see the AWS documentation, Disabling Permissions for Temporary Security Credentials.