Got a t2.micro instance, and need to grant someone else permission to start/stop it, so they don't keep bugging me with requests.
Want to do it reasonably properly, but not over the top. I've created them a dedicated IAM user account, and granted Full EC2 permissions to it, but when they log in they can't see the existing instance in the list.
So obviously I need to give them permissions to manipulate that particular instance.
All the docs go on about creating IAM Roles, but with a few dire warnings. After a long day and a few beers, that looks like a convoluted way of achieving a simple goal, but ...
Is there a dummy's guide to all this? We're not talking megacorp needing details full on role-based control for a massive instructure. Just one mate letting another mate turn something off and on without buggering up other stuff.
Comments
One gotcha that springs to mind, have they selected the correct region ? They won't see the instances if not.
Trading feedback here
And yes, the custom policy JSON is basically the only sensible way to do it (for limited values of "sensible").
Oh, and don't think about getting clever with the "Version" field in the JSON - change that, and nothing will work.
AWS is possibly the most convoluted, bloated, unintuitive bit of tech I've ever come across. If it wasn't for the fact that it's basically the only game in town when you need FCA-approved security (other than DIY), I'd never touch the damn thing.
It does feel like a system that is deliberately obfuscated for no good reason. Possibly because it's too big, and no-one has thought to document it in ascending (or descending) levels of complexity from "Simple task primers with worked examples" down to "here's the heavy shit the clever people can do". It almost makes me think fondly of official Microsoft documentation. Almost.
All of this is just to run a FoundryVTT server for mates to play D&D once a week. I've got through my first bag (free year) so need to have a way for the DM to start and stop the thing for himself, rather than having it running 24/7. Not that it would cost much if it did, but ...