AWS IAM Permissions Guide
Overview
Zeet leverages AWS services to deliver its platform capabilities. Understanding the permissions required helps in setting up and using the platform efficiently. This guide delves deep into the AWS IAM permissions used by Zeet, starting with default permissions needed for initial cloud connections and then moving onto fine-grained permissions for advanced users.
1. Default Permissions
These permissions are essential for establishing the basic connection between Zeet and your AWS account.
1.1. Cloud Connection
- Required Permissions:
- Create IAM Role: Allows Zeet to establish an IAM role for managing resources.
- Account Administrator: Ensures Zeet has adequate permissions to function smoothly.
- Assumable by: Zeet Management Account
1.2. Platform Permissions (Default)
By default, all platform and deployment permissions, as detailed in the "Fine Grained Customization Permissions" section, are enabled. This streamlined configuration makes it easier for users to explore and get started with the platform.
2. Fine Grained Customization Permissions
For users who need more control over the permissions granted to Zeet. This section is relevant for Pro, Scale, and Enterprise plan users.
Only Pro, Scale, and Enterprise plan users can customize these permissions.
2.1. Cloud Connection
- Customizable Permissions: Depending on the use case, users can decide which permissions to grant.
- Assumable by: Zeet Management account
2.2. Platform Permissions by Use Case
Detailed permissions for specific use-cases:
2.2.1. Container Management
Managing Service Containers or Job Containers requires permissions to various AWS services:
- ECR: Allows Zeet to manage container repositories.
- EKS: Lets Zeet interact with Kubernetes services.
- EC2: Provides control over virtual servers in the cloud.
- VPC: Ensures network-related configurations can be adjusted.
- Route53: Allows domain name system service management.
- Autoscaling: Enables dynamic adjustment of resources.
- IAM: Manages AWS access.
- STS: Grants temporary security credentials to containers.
2.2.2. Serverless via AWS Lambda Management
For those looking to manage Serverless Functions:
- CloudFormation: Required for AWS CDK Deployment
- S3: Required for AWS CDK Deployment
- ACM: Manages SSL/TLS certificates, (Only required if custom domain is used)
- APIGateway: Manages http endpoint for serverless functions
- Lambda: Manages serverless functions
- ECR: Allows management of container repositories.
- IAM: Manages AWS access.
2.2.3. RDS Management
Database management permissions include:
- S3: Storage for Terraform states and modules.
- RDS: Management of Amazon RDS databases.
2.2.4. Terraform Module Management
Needed for Terraform Stack setups:
- S3: Storage for Terraform states and modules.
Additional permissions for Terraform Module Management depend on the specific template utilized.
2.3. Zeet Dashboard and Monitoring
2.3.1. View Logs
- CloudWatch: Allows historical log viewing on the dashboard.
- Logs: Provides detailed log information.
2.3.2. View Metrics
- CloudWatch: Enables monitoring of metrics related to services managed by zeet
2.3.3. Cloud Quota Monitoring
- ServiceQuotas: Monitors AWS service quotas ensuring that limits are not breached.
2.3.4. Cluster Capacity Monitoring
For monitoring cluster capacity:
- SNS: Sends notifications for capacity events.
- SQS: Message queuing for capacity events.
- CloudWatch: Monitors cluster capacity metrics.
2.3.5. AWS Secret Manager Integration
- SecretsManager: Helps integrate and manage secrets safely.