IAM Roles

Last updated 1 year ago

Was this helpful?

IAM Roles

testgrinder service will be discontinued on January 31, 2025

testgrinder SMPC was discontinued as of February 1, 2024

You'll need to create two IAM Roles - one for tg-app and the other for tg-bot instances. The roles will be assigned to the launched tg-app and tg-bot instances and give them the necessary access rights.

You can manage IAM Roles from the Roles page of the AWS IAM console at

If you plan to have several testgrinder deployments, to ensure proper access to S3 buckets, it is recommended to create a separate set of roles for each testgrinder deployment. Use descriptive role names, such as tg-eval-app and tg-prod-app, to distinguish between them.

Role tg-app

Create a role named tg-app and assign the following policy to it:

Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.

If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.
If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ec2:CreateTags",
          "ec2:DescribeTags",
          "ec2:DescribeInstances",
          "ec2:DescribeSecurityGroups",
          "ec2:RunInstances",
          "ec2:TerminateInstances",
          "iam:PassRole"
        ],
        "Resource": [
          "*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:GenerateDataKey",
          "kms:Decrypt",
          "kms:Encrypt"
        ],
        "Resource": [
          "YOUR_KMS_KEY_ARN"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET",
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*",
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
        ]
      }
    ]
  }

Role tg-bot

Create a role named tg-bot and assign the following policy to it:

Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.

If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.
If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["ec2:DescribeTags"],
        "Resource": ["*"]
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:GenerateDataKey",
          "kms:Decrypt",
          "kms:Encrypt"
        ],
        "Resource": [
          "YOUR_KMS_KEY_ARN"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:GetObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
        ]
      }
    ]
  }

PreviousS3 Buckets NextKey Pair

Last updated 1 year ago

Was this helpful?

testgrinder service will be discontinued on January 31, 2025

testgrinder SMPC was discontinued as of February 1, 2024

You can manage IAM Roles from the Roles page of the AWS IAM console at

Role tg-app

Create a role named tg-app and assign the following policy to it:

Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.

If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.
If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ec2:CreateTags",
          "ec2:DescribeTags",
          "ec2:DescribeInstances",
          "ec2:DescribeSecurityGroups",
          "ec2:RunInstances",
          "ec2:TerminateInstances",
          "iam:PassRole"
        ],
        "Resource": [
          "*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:GenerateDataKey",
          "kms:Decrypt",
          "kms:Encrypt"
        ],
        "Resource": [
          "YOUR_KMS_KEY_ARN"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET",
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*",
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
        ]
      }
    ]
  }

Role tg-bot

Create a role named tg-bot and assign the following policy to it:

Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.

If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.
If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["ec2:DescribeTags"],
        "Resource": ["*"]
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:GenerateDataKey",
          "kms:Decrypt",
          "kms:Encrypt"
        ],
        "Resource": [
          "YOUR_KMS_KEY_ARN"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:GetObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
        ]
      }
    ]
  }