IAM Roles
testgrinder service will be discontinued on January 31, 2025
testgrinder SMPC was discontinued as of February 1, 2024
You'll need to create two IAM Roles - one for tg-app and the other for tg-bot instances. The roles will be assigned to the launched tg-app and tg-bot instances and give them the necessary access rights.
You can manage IAM Roles from the Roles page of the AWS IAM console at https://console.aws.amazon.com/iamv2
Role tg-app
Create a role named tg-app and assign the following policy to it:
Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.
If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.
If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:RunInstances",
"ec2:TerminateInstances",
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": [
"YOUR_KMS_KEY_ARN"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_MEDIA_S3_BUCKET",
"arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*",
"arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
]
}
]
}
Role tg-bot
Create a role named tg-bot and assign the following policy to it:
Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.
If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.
If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:DescribeTags"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:Encrypt"
],
"Resource": [
"YOUR_KMS_KEY_ARN"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
]
}
]
}
Last updated
Was this helpful?