Document required permissions to run basti init

basti-app / basti

✨ Securely connect to RDS, Elasticache, and other AWS resources in VPCs with no idle cost

https://www.basti.app

MIT License

332 stars 17 forks source link

Document required permissions to run basti init #102

Open tibuntu opened 3 months ago

tibuntu commented 3 months ago

Bug Description

Hi there, we recently reduced IAM permissions for our developers which led to the situation that they can not longer run basti init by themselves. Could you please document the required permissions?

Right now Basti isn't really pointing out which permissions are missing (Which it btw. does when running a cleanup):

Error setting up bastion. Can't create IAM role for bastion instance. Access denied by IAM.

Thanks!

Steps to Reproduce

Do not grant your AWS user full IAM permissions and try to run basti init

BohdanPetryshyn commented 2 months ago

Hi @tibuntu! I missed the issue somehow and since it's almost a month from when you opened it, is the request still relevant to you?

I understand that your use case might differ from my experience but in general, the recommended way of using Basti in a limited privilege environment is to initialize an instance once and then grant people the minimal set of permissions for the connect command documented here.

Cheers.

andreas-mueller-bb commented 2 months ago

Even for a limited privilege environment it would be interesting which exact permissions are needed, if the initilization should be carried out by someone who doesn't hold full administrator permissions.

Also for transparency reasons I would welcome an overview :)