Go to testgrinder

IAM Roles

testgrinder service will be discontinued on January 31, 2025

testgrinder SMPC was discontinued as of February 1, 2024

You'll need to create two IAM Roles - one for tg-app and the other for tg-bot instances. The roles will be assigned to the launched tg-app and tg-bot instances and give them the necessary access rights.

You can manage IAM Roles from the Roles page of the AWS IAM console at https://console.aws.amazon.com/iamv2

If you plan to have several testgrinder deployments, to ensure proper access to S3 buckets, it is recommended to create a separate set of roles for each testgrinder deployment. Use descriptive role names, such as tg-eval-app and tg-prod-app, to distinguish between them.

Role tg-app

Create a role named tg-app and assign the following policy to it:

Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.

  • If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.

  • If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "ec2:CreateTags",
          "ec2:DescribeTags",
          "ec2:DescribeInstances",
          "ec2:DescribeSecurityGroups",
          "ec2:RunInstances",
          "ec2:TerminateInstances",
          "iam:PassRole"
        ],
        "Resource": [
          "*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:GenerateDataKey",
          "kms:Decrypt",
          "kms:Encrypt"
        ],
        "Resource": [
          "YOUR_KMS_KEY_ARN"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET",
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject",
          "s3:GetObject",
          "s3:DeleteObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*",
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
        ]
      }
    ]
  }

Role tg-bot

Create a role named tg-bot and assign the following policy to it:

Replace YOUR_MEDIA_S3_BUCKET and YOUR_USER_FILES_S3_BUCKET below with the name of the buckets you created earlier.

  • If you are using an AWS Key Management Service key for encrypting objects in the S3 buckets, replace YOUR_KMS_KEY_ARN below with the key's ARN.

  • If you are not using encryption, or using Amazon S3-managed keys, then remove the entire section of the policy granting permission to kms action.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["ec2:DescribeTags"],
        "Resource": ["*"]
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:GenerateDataKey",
          "kms:Decrypt",
          "kms:Encrypt"
        ],
        "Resource": [
          "YOUR_KMS_KEY_ARN"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:PutObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_MEDIA_S3_BUCKET/*"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:GetObject"
        ],
        "Resource": [
          "arn:aws:s3:::YOUR_USER_FILES_S3_BUCKET/*"
        ]
      }
    ]
  }
PreviousS3 BucketsNextKey Pair

Last updated

Was this helpful?