automation-suite
2023.4
false
Automation Suite on Linux Installation Guide
Last updated Sep 5, 2024

Roles and policies

The the following table describes the IAM roles and policies that the CloudFormation template creates:

Table 1. IAM roles
RoleActions

CopyRole

This role is used to copy objects between S3 buckets. It is a copy of the https://github.com/aws-quickstart/lambda-copyzips AWS repository initially used for the AWS QuickStart.

File: copy-zips.template.yaml
  • s3:GetObject
  • s3:PutObject
  • s3:DeleteObject

ACMCertificateRole

The purpose of this role is to create and verify an ACM certificate using DNS validation and Route 53. It is a copy of the https://github.com/aws-quickstart/quickstart-aws-acm-certificate AWS repository used for the AWS QuickStart.

File: quickstart-aws-acm-certificate.template.yml
  • acm:RequestCertificate

  • acm:DescribeCertificate

  • acm:DeleteCertificate

  • route53:ChangeResourceRecordSets

VPCFlowLogsRole

This role serves as the value of the DeliverLogsPermissionArn parameter in the AWS::EC2::FlowLog resource type. Is it a copy of the https://github.com/aws-quickstart/quickstart-aws-vpc QuickStart repository.

File: aws-vpc.template.yaml
  • logs:CreateLogStream

  • logs:PutLogEvents

  • logs:DescribeLogGroups

  • logs:DescribeLogStreams

AutomationAssumeRole

This role is used for various SSM documents (AWS::SSM::Document), with the following purposes:
  • AgentRemoveInstanceDocument: remove the agent instance from the cluster;
  • ServerRemoveInstanceDocument: remove the server instance from the cluster;
  • RegisterAiCenter: register the AI Center service to Orchestrator;
  • OnDemandBackup: create a snapshot of the Automation Suite cluster;
  • OnDemandRestoreDocument: restore the Automation Suite cluster from a given snapshot;
  • GetBackupList: get the list of avaliable snapshots of the Automation Suite cluster;
  • UpdateAMIDocument: update AMI for the scalling groups.
Note: AutomationAssumeRole allows full access to Amazon SSN. For more information, see AmazonSSMFullAccess.
File: ec2-management.template.yaml
  • autoscaling:CompleteLifecycleAction

  • autoscaling:RecordLifecycleActionHeartbeat

  • autoscaling:UpdateAutoScalingGroup

  • ssm:SendCommand

  • autoscaling:DescribeAutoScalingGroups

  • ssm:PutParameter

  • ssm:GetParameter

  • logs:PutLogEvents

  • logs:DescribeLogStreams

  • logs:DescribeLogGroups

  • logs:CreateLogStream

  • logs:CreateLogGroup

  • ec2:DescribeImages

  • ec2:DescribeLaunchTemplates

  • ec2:DescribeLaunchTemplateVersions

  • iam:PassRole

  • ec2:CreateLaunchTemplateVersion

  • ec2:RunInstances

  • states:StartExecution

  • states:DescribeExecution

StateMachinesAssumeRole

This role is used for the OnDemandRestoreStateMachine resource (AWS::StepFunctions::StateMachine). This resource is used for the restore operation.
Note: StateMachinesAssumeRole allows full access to Amazon SSN. For more information, see AmazonSSMFullAccess.
File: ec2-management.template.yaml
Uses the AmazonSSMFullAccessmanaged policy.

EventsBridgeAssumeRole

This role is used for the following event rules (AWS::Events::Rule):
  • AsRobotsTerminateEventRule
  • AgentTerminateEventRule
  • ServerTerminateEventRule

The rules are for the terminate lifecycle action.

File: ec2-management.template.yaml
  • ssm:StartautomationExecution

  • iam:PassRole

ObjectStorageBucketsCleanupLambdaRole

This role is used for the ObjectStorageBucketsCleanupFunction lambda function and provides utility for the object storage.

File: external-storage.template.yaml
  • s3:GetAccelerateConfiguration

  • s3:GetBucketLocation

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketVersions

  • s3:ListBucketMultipartUploads

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

ServiceFabricIamRole

This role is referenced in the following resources:

  • ServiceFabricInstanceProfile (AWS::IAM::InstanceProfile)
  • The following policies (AWS::IAM::Policy): LogsAccessPolicy, LifecycleHookActionsPolicy, Ec2QueryPolicy, QuickstartS3IAMPolicy, InputJsonSecretPolicy, KubeconfigSecretPolicy, InstallerDownloadUrlParameterPolicy, ExternalStorageAccessPolicy.

File: uipath-sf.template.yaml
Uses the AmazonSSMManagedInstanceCore managed policy.

AsgProcessModificationRole

This role is used to modify the ASG processes during CF stack creation.

File: uipath-sf.template.yaml
  • autoscaling:ResumeProcesses

  • autoscaling:SuspendProcesses

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

FindAmiLambdaRole

This role is used by the FindAMIFunction lambda function.

File: uipath-sf.template.yaml
  • ec2:DescribeImages

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

CreateInputJsonLambdaRole

This role is used by the CreateInputJsonFunction lambda function. The function creates the configuration file for the Automation Suite installation.

File: uipath-sf.template.yaml
  • secretsmanager:GetSecretValue

  • secretsmanager:PutSecretValue

  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:DescribeAutoScalingInstances

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

  • ec2:DescribeImages

  • ec2:DescribeInstanceTypes

  • ec2:DescribeInstanceTypeOfferings

ComputeResourceSizeLambdaRole

This role is used by the ComputeResourceSizeFunction lambda function. The function validates that the input for resources is in accordance with the hardware requirements.

File: uipath-sf.template.yaml
  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:DescribeAutoScalingInstances

  • ec2:DescribeInstances

  • ec2:DescribeInstanceTypeOfferings

  • ec2:DescribeInstanceTypes

  • ec2:DescribeImages

  • ec2:RunInstances

  • ec2:CreateTags

  • cloudformation:DescribeStacks

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

Table 2. IAM policies
PolicyActions

LogsAccessPolicy

Policy for log access.

  • logs:PutLogEvents

  • logs:DescribeLogStreams

  • logs:DescribeLogGroups

  • logs:CreateLogStream

  • logs:CreateLogGroup

  • cloudwatch:PutMetricData

  • xray:PutTraceSegments

LifecycleHookActionsPolicy

Policy for lifecycle hook access.

autoscaling:CompleteLifecycleAction

Ec2QueryPolicy

Policy for EC2 and ASG access.

  • ec2:DescribeVolumes

  • ec2:DescribeTags

  • ec2:DescribeInstances

  • autoscaling:DescribeAutoScalingInstances

  • autoscaling:DescribeAutoScalingGroups

  • ec2:DescribeImages

  • ec2:DescribeInstanceTypes

  • ec2:DescribeInstanceTypeOfferings

QuickstartS3IAMPolicy

Policy for getting access to the QS S3 bucket.

s3:GetObject

InputJsonSecretPolicy

Policy for allowing access to the secret manager.

  • secretsmanager:GetSecretValue

  • secretsmanager:PutSecretValue

KubeconfigSecretPolicy

Policy for allowing access to the secret manager.

  • secretsmanager:GetSecretValue

  • secretsmanager:PutSecretValue

InstallerDownloadUrlParameterPolicy

Policy for allowing access to SSM parameters.

ssm:GetParameter

ExternalStorageAccessPolicy

Policy for allowing access to external storage.

  • s3:GetBucketAcl

  • s3:GetBucketCORS

  • s3:GetBucketLocation

  • s3:GetBucketNotification

  • s3:GetBucketPolicy

  • s3:PutBucketPolicy

  • s3:DeleteBucketPolicy

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketMultipartUploads

  • s3:PutBucketAcl

  • s3:PutBucketCORS

  • s3:*Object

  • s3:*ObjectAcl

  • s3:*ObjectAttributes

  • s3:*ObjectVersion

  • s3:*ObjectVersionTagging

  • s3:AbortMultipartUpload

  • s3:ListMultipartUploadParts

  • s3:ListAllMyBuckets

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.