Minimally secure IAM policy for running packer

[blockjon]

I have a question similar to #10092 ... but mine is even simpler...

All of the packer example IAM policies I've seen on the Hashicorp Packer docs so far grant access on * which is too permissive. We know packer's objects all are prefixed with "packer_".

Can someone please share a reasonable packer IAM policy that doesn't grant all of the packer permissions against the entire Ec2 scope? I am looking for an IAM configuration which basically grants just what packer needs to run and to have some sort of condition or expression that says "and these IAM privs only apply to packer's elements which are prefixed with packer_".

Thank you!

[nywilken]

Hi there @blockjon thanks for reaching out. To my knowledge there is no documentation on using conditions but I think this would be a good example to have in place. On the Amazon builder overview page there is a minimal list of IAM policies needed for Packer https://www.packer.io/docs/builders/amazon#iam-task-or-instance-role.

Is this enough to get you started?

If you haven't already you may want to post this same question on the community forum where folks doing similar things can chime in.

[weskerfoot]

The policy linked in the docs uses "*" which means it can do those actions on any EC2 instances in your account, which is pretty much a non-starter. And from what I can tell it's impossible to restrict it with tags because the tags are added after any resources are created. Correct me if I'm wrong. Why isn't this a feature yet?