search

widdix / complete-aws-iam-reference

Complete AWS IAM Reference
https://iam.cloudonaut.io
Other
319 stars 106 forks source link

Multiple instances of ec2:RunInstances in the overview #4

Open derBroBro opened 7 years ago

derBroBro commented 7 years ago

There are multiple instances of the RunInstances methode in the overview. All are linking to the same details page. https://github.com/widdix/complete-aws-iam-reference/blob/master/services/ec2.md (Line 12-20) I am not sure if this should be aggregated and if yes how, elsewise I could also create a PR.

michaelwittig commented 7 years ago

the ec2 service is somehow special because one api action (e.g. RunInstances) requires access to multiple resources (like ami, key pair, subnet, ...) while those resources can be defined in different ways (e.g. or full arn, but sometimes only ). so it's basically one additional hierarchy but this is only present for a very small subset of api actions. the way it is represented matches with the AWS docs. Any ideas how the table could be improved?

derBroBro commented 7 years ago

I understand your point. Specially because this project is not (so messy) like the official documentation it is so helpfull. Many thanks for that! :thumbsup:

For example it would be possible to aggretage them all together into one column. With this also the conditions would be reduced as the region or the tag is available multiple times. Example:

Action Description Resource Condition
ec2:RunInstances Launches the specified number of instances using an AMI for which you have permissions. arn:aws:ec2:$region::image/*, arn:aws:ec2:$region::image/$image-id, arn:aws:ec2:$region:$account-id:instance/*, arn:aws:ec2:$region:$account-id:key-pair/*, arn:aws:ec2:$region:$account-id:key-pair/key-pair-name ec2:ImageType, ec2:Owner, ec2:Public, ec2:Region, ec2:RootDeviceType, ec2:ResourceTag/tag-key

Then this presentation type could also be used at the details page.

Without the limitations of md something like this would be possible:

Action Description Resource Condition
ec2:RunInstances Launches the specified number of instances using an AMI for which you have permissions. arn:aws:ec2:$region::image/*, arn:aws:ec2:$region::image/$image-id ec2:ImageType, ec2:Owner, ec2:Public, ec2:Region, ec2:RootDeviceType, ec2:ResourceTag/tag-key
arn:aws:ec2:$region:$account-id:instance/* ec2:AvailabilityZone, ec2:EbsOptimized, ec2:InstanceProfile, ec2:InstanceType, ec2:PlacementGroup, ec2:Region, ec2:RootDeviceType, ec2:Tenancy
arn:aws:ec2:$region:$account-id:key-pair/*, arn:aws:ec2:$region:$account-id:key-pair/key-pair-name ec2:Region
arn:aws:ec2:$region:$account-id:network-interface/* (if specifying a subnet in the request), arn:aws:ec2:$region:$account-id:network-interface/eni-id ec2:AvailabilityZone, ec2:Region, ec2:Subnet, ec2:ResourceTag/tag-key, ec2:Vpc
arn:aws:ec2:$region:$account-id:placement-group/*, arn:aws:ec2:$region:$account-id:placement-group/placement-group-name ec2:Region, ec2:PlacementGroupStrategy
arn:aws:ec2:$region:$account-id:security-group/*, arn:aws:ec2:$region:$account-id:security-group/security-group-id ec2:Region, ec2:ResourceTag/tag-key, ec2:Vpc
arn:aws:ec2:$region::snapshot/*, arn:aws:ec2:$region::snapshot/$snapshot-id ec2:Owner, ec2:ParentVolume, ec2:Region, ec2:SnapshotTime, ec2:ResourceTag/tag-key, ec2:VolumeSize
arn:aws:ec2:$region:$account-id:subnet/*, arn:aws:ec2:$region:$account-id:subnet/$subnet-id ec2:AvailabilityZone, ec2:Region, ec2:ResourceTag/tag-key, ec2:Vpc
arn:aws:ec2:$region:$account-id:volume/* (if launching from an EBS-backed image) ec2:AvailabilityZone, ec2:ParentSnapshot, ec2:Region, ec2:VolumeIops, ec2:VolumeSize, ec2:VolumeType
michaelwittig commented 7 years ago

I had a look at the code. It's possible but not as easy as I thought. So this will take some time and bad weather...

stefansundin commented 6 years ago

I ran into the need of understanding ec2:RunInstances as well recently.. This documentation page helped me greatly: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html#supported-iam-actions-runinstances

It seems a bit limiting to only be able to specify one link for an action. It would be good if the detail page for a certain actions could be overridden with a more complicated page (maybe represented with its own .md file). This would only be needed for certain complicated actions, like RunInstances.