example: ec2: document "minimal" policy (#1536)

* example: ec2: document "minimal" policy * move DescribeInstances * move ModifyInstanceCreditSpecification
2026-06-02 20:48:20 +00:00 · 2022-05-18 08:17:05 -05:00
parent 4e28b2d9c5
commit 6bed620d6c
2 changed files with 64 additions and 0 deletions
@@ -3,3 +3,62 @@ name: Develop in Linux on AWS EC2
 description: Get started with Linux development on AWS EC2.
 tags: [cloud, aws]
 ---
+
+# aws-linux
+
+## Getting started
+
+Pick this template in `coder templates init` and follow instructions.
+
+## Required permissions / policy
+
+This example policy allows Coder to create EC2 instances and modify instances provisioned by Coder.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:GetDefaultCreditSpecification",
+                "ec2:DescribeIamInstanceProfileAssociations",
+                "ec2:DescribeTags",
+                "ec2:CreateTags",
+                "ec2:RunInstances",
+                "ec2:DescribeInstanceCreditSpecifications",
+                "ec2:DescribeImages",
+                "ec2:ModifyDefaultCreditSpecification",
+                "ec2:DescribeVolumes"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "CoderResouces",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeInstances",
+                "ec2:DescribeInstanceAttribute",
+                "ec2:UnmonitorInstances",
+                "ec2:TerminateInstances",
+                "ec2:StartInstances",
+                "ec2:StopInstances",
+                "ec2:DeleteTags",
+                "ec2:MonitorInstances",
+                "ec2:CreateTags",
+                "ec2:RunInstances",
+                "ec2:ModifyInstanceAttribute",
+                "ec2:ModifyInstanceCreditSpecification"
+            ],
+            "Resource": "arn:aws:ec2:*:*:instance/*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:ResourceTag/Coder_Provisioned": "true"
+                }
+            }
+        }
+    ]
+}
+```
+
@@ -11,6 +11,9 @@ variable "access_key" {
  description = <<EOT
 Create an AWS access key to provision resources with Coder:
 - https://console.aws.amazon.com/iam/home#/users
+
+See the template README for an example permissions policy,
+if needed.
  
 AWS Access Key ID
 EOT
@@ -138,5 +141,7 @@ resource "aws_instance" "dev" {
  user_data = data.coder_workspace.me.transition == "start" ? local.user_data_start : local.user_data_end
  tags = {
    Name = "coder-${data.coder_workspace.me.owner}-${data.coder_workspace.me.name}"
+    # Required if you are using our example policy, see template README
+    Coder_Provisioned = "true"
  }
 }