automation-suite
2024.10
true
UiPath logo, featuring letters U and I in white

Automation Suite on Linux Installation Guide

Last updated Feb 3, 2025

Roles and policies

The the following table describes the IAM roles and policies that the CloudFormation template creates:

Table 1. IAM roles
RoleActions

CopyRole

This role is used to copy objects between S3 buckets. It is a copy of the https://github.com/aws-quickstart/lambda-copyzips AWS repository initially used for the AWS QuickStart.

File: copy-zips.template.yaml
  • s3:GetObject
  • s3:PutObject
  • s3:DeleteObject

ACMCertificateRole

The purpose of this role is to create and verify an ACM certificate using DNS validation and Route 53. It is a copy of the https://github.com/aws-quickstart/quickstart-aws-acm-certificate AWS repository used for the AWS QuickStart.

File: quickstart-aws-acm-certificate.template.yml
  • acm:RequestCertificate

  • acm:DescribeCertificate

  • acm:DeleteCertificate

  • route53:ChangeResourceRecordSets

VPCFlowLogsRole

This role serves as the value of the DeliverLogsPermissionArn parameter in the AWS::EC2::FlowLog resource type. Is it a copy of the https://github.com/aws-quickstart/quickstart-aws-vpc QuickStart repository.

File: aws-vpc.template.yaml
  • logs:CreateLogStream

  • logs:PutLogEvents

  • logs:DescribeLogGroups

  • logs:DescribeLogStreams

AutomationAssumeRole

This role is used for various SSM documents (AWS::SSM::Document), with the following purposes:
  • AgentRemoveInstanceDocument: remove the agent instance from the cluster;
  • ServerRemoveInstanceDocument: remove the server instance from the cluster;
  • RegisterAiCenter: register the AI Center service to Orchestrator;
  • OnDemandBackup: create a snapshot of the Automation Suite cluster;
  • OnDemandRestoreDocument: restore the Automation Suite cluster from a given snapshot;
  • GetBackupList: get the list of avaliable snapshots of the Automation Suite cluster;
  • UpdateAMIDocument: update AMI for the scalling groups.
Note: AutomationAssumeRole allows full access to Amazon SSN. For more information, see AmazonSSMFullAccess.
File: ec2-management.template.yaml
  • autoscaling:CompleteLifecycleAction

  • autoscaling:RecordLifecycleActionHeartbeat

  • autoscaling:UpdateAutoScalingGroup

  • ssm:SendCommand

  • autoscaling:DescribeAutoScalingGroups

  • ssm:PutParameter

  • ssm:GetParameter

  • logs:PutLogEvents

  • logs:DescribeLogStreams

  • logs:DescribeLogGroups

  • logs:CreateLogStream

  • logs:CreateLogGroup

  • ec2:DescribeImages

  • ec2:DescribeLaunchTemplates

  • ec2:DescribeLaunchTemplateVersions

  • iam:PassRole

  • ec2:CreateLaunchTemplateVersion

  • ec2:RunInstances

  • states:StartExecution

  • states:DescribeExecution

StateMachinesAssumeRole

This role is used for the OnDemandRestoreStateMachine resource (AWS::StepFunctions::StateMachine). This resource is used for the restore operation.
Note: StateMachinesAssumeRole allows full access to Amazon SSN. For more information, see AmazonSSMFullAccess.
File: ec2-management.template.yaml
Uses the AmazonSSMFullAccessmanaged policy.

EventsBridgeAssumeRole

This role is used for the following event rules (AWS::Events::Rule):
  • AsRobotsTerminateEventRule
  • AgentTerminateEventRule
  • ServerTerminateEventRule

The rules are for the terminate lifecycle action.

File: ec2-management.template.yaml
  • ssm:StartautomationExecution

  • iam:PassRole

ObjectStorageBucketsCleanupLambdaRole

This role is used for the ObjectStorageBucketsCleanupFunction lambda function and provides utility for the object storage.

File: external-storage.template.yaml
  • s3:GetAccelerateConfiguration

  • s3:GetBucketLocation

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketVersions

  • s3:ListBucketMultipartUploads

  • s3:DeleteObject

  • s3:DeleteObjectVersion

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

ServiceFabricIamRole

This role is referenced in the following resources:

  • ServiceFabricInstanceProfile (AWS::IAM::InstanceProfile)
  • The following policies (AWS::IAM::Policy): LogsAccessPolicy, LifecycleHookActionsPolicy, Ec2QueryPolicy, QuickstartS3IAMPolicy, InputJsonSecretPolicy, KubeconfigSecretPolicy, InstallerDownloadUrlParameterPolicy, ExternalStorageAccessPolicy.

File: uipath-sf.template.yaml
Uses the AmazonSSMManagedInstanceCore managed policy.

AsgProcessModificationRole

This role is used to modify the ASG processes during CF stack creation.

File: uipath-sf.template.yaml
  • autoscaling:ResumeProcesses

  • autoscaling:SuspendProcesses

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

FindAmiLambdaRole

This role is used by the FindAMIFunction lambda function.

File: uipath-sf.template.yaml
  • ec2:DescribeImages

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

CreateInputJsonLambdaRole

This role is used by the CreateInputJsonFunction lambda function. The function creates the configuration file for the Automation Suite installation.

File: uipath-sf.template.yaml
  • secretsmanager:GetSecretValue

  • secretsmanager:PutSecretValue

  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:DescribeAutoScalingInstances

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

  • ec2:DescribeImages

  • ec2:DescribeInstanceTypes

  • ec2:DescribeInstanceTypeOfferings

ComputeResourceSizeLambdaRole

This role is used by the ComputeResourceSizeFunction lambda function. The function validates that the input for resources is in accordance with the hardware requirements.

File: uipath-sf.template.yaml
  • autoscaling:DescribeAutoScalingGroups

  • autoscaling:DescribeAutoScalingInstances

  • ec2:DescribeInstances

  • ec2:DescribeInstanceTypeOfferings

  • ec2:DescribeInstanceTypes

  • ec2:DescribeImages

  • ec2:RunInstances

  • ec2:CreateTags

  • cloudformation:DescribeStacks

  • logs:CreateLogGroup

  • logs:CreateLogStream

  • logs:PutLogEvents

  • xray:PutTraceSegments

Table 2. IAM policies
PolicyActions

LogsAccessPolicy

Policy for log access.

  • logs:PutLogEvents

  • logs:DescribeLogStreams

  • logs:DescribeLogGroups

  • logs:CreateLogStream

  • logs:CreateLogGroup

  • cloudwatch:PutMetricData

  • xray:PutTraceSegments

LifecycleHookActionsPolicy

Policy for lifecycle hook access.

autoscaling:CompleteLifecycleAction

Ec2QueryPolicy

Policy for EC2 and ASG access.

  • ec2:DescribeVolumes

  • ec2:DescribeTags

  • ec2:DescribeInstances

  • autoscaling:DescribeAutoScalingInstances

  • autoscaling:DescribeAutoScalingGroups

  • ec2:DescribeImages

  • ec2:DescribeInstanceTypes

  • ec2:DescribeInstanceTypeOfferings

QuickstartS3IAMPolicy

Policy for getting access to the QS S3 bucket.

s3:GetObject

InputJsonSecretPolicy

Policy for allowing access to the secret manager.

  • secretsmanager:GetSecretValue

  • secretsmanager:PutSecretValue

KubeconfigSecretPolicy

Policy for allowing access to the secret manager.

  • secretsmanager:GetSecretValue

  • secretsmanager:PutSecretValue

InstallerDownloadUrlParameterPolicy

Policy for allowing access to SSM parameters.

ssm:GetParameter

ExternalStorageAccessPolicy

Policy for allowing access to external storage.

  • s3:GetBucketAcl

  • s3:GetBucketCORS

  • s3:GetBucketLocation

  • s3:GetBucketNotification

  • s3:GetBucketPolicy

  • s3:PutBucketPolicy

  • s3:DeleteBucketPolicy

  • s3:GetBucketVersioning

  • s3:ListBucket

  • s3:ListBucketMultipartUploads

  • s3:PutBucketAcl

  • s3:PutBucketCORS

  • s3:*Object

  • s3:*ObjectAcl

  • s3:*ObjectAttributes

  • s3:*ObjectVersion

  • s3:*ObjectVersionTagging

  • s3:AbortMultipartUpload

  • s3:ListMultipartUploadParts

  • s3:ListAllMyBuckets

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2025 UiPath. All rights reserved.