IAM policy to give workflow access to resources
The following is a comprehensive example of an IAM role that grants permission to access those resources. This policy also includes access to some Amazon CloudWatch logs that can help with troubleshooting or tracking the use of AWS actions and resources. The CloudWatch permissions aren't required to run a workflow.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-west-2:123456789012:log-group:/aws/omics/WorkflowLog:log-stream:*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-west-2:{{accountId}}:log-group:/aws/omics/WorkflowLog:*" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability" ], "Resource": [ "arn:aws:ecr:us-west-2:{{accountId}}:repository/*" ] } ] }
Authorize the service to use the role, by adding the following trust policy.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"sts:AssumeRole", "Principal":{ "Service":"omics.amazonaws.com" } } ] }
