This repository has been archived by the owner on Mar 5, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfaq.html
69 lines (59 loc) · 1.55 KB
/
faq.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<!DOCTYPE html>
<html>
<head>
<title>Credulous FAQs</title>
<link rel="stylesheet" href="main.css">
</head>
<body class="mainpage">
<div class="header">
<h1 class="headerh1">Credulous FAQs</h1>
</div>
<div id="wrapper">
<a href="index.html">Home</a>
<h2>Implementation Questions</h2>
<h3>What AWS rights are required for Credulous?</h3>
<p id="para"><strong>Saving and sourcing credentials:</strong>
Credulous needs to be able to find out the IAM username and
AWS account alias (if one is set), in order to save or sourceg
the current credentials without the use of theg
<code>--force</code> option. This corresponds to an IAM policy
like this:</p>
<p id="para"><pre>
{
"Statement": [
{
"Sid": "PermitUserSeeOwnDetails",
"Action": [
"iam:GetUser",
"iam:ListAccessKeys",
"iam:ListAccountAliases"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
</pre></p>
<p id="para"><strong>Rotating credentials:</strong>
For Credulous to be able to rotate your credentials, your IAM
user needs to have the rights to create and delete your own
Access Keys. This corresponds to an IAM policy that looks like:</p>
<p id="para"><pre>
{
"Statement": [
{
"Sid": "ManageOwnAccessKeys",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
</pre></p>
</div>
</body>
</html>