Skip to main content

Granting AWS access to nullplatform

Nullplatform uses the AWS API to interact with AWS services and supports various methods to establish secure interaction with AWS.

Required Users/Roles

Nullplatform divides responsibilities into three distinct parts, each requiring specific users or roles:

  • Application Management: This component handles the creation of AWS components during application creation or import. The most critical creation is the ECR repository.
  • Telemetry: Responsible for processing logs and metrics, communicating with AWS CloudWatch.
  • Scope & Deployment Manager: Controls scope and deployment, communicating with AWS EC2, Lambda, and Elastic Load Balancing APIs.

Access Key & Secret Key

warning

While this method is simple, it is NOT recommended, please try cross-account roles instead.

The simplest way to configure nullplatform's communication with the AWS API is by creating AWS users and generating API credentials for each user.

To configure this authentication mode, the required NRN keys are as follows:

  • Application Management:

    • aws.application_workflow_access_key
    • aws.application_workflow_secret_access_key

  • Telemetry:

    • aws.log_reader_access_key
    • aws.log_reader_secret_access_key

  • Scope & Deployment Manager:

    • aws.region
    • aws.scope_workflow_access_key
    • aws.scope_workflow_secret_access_key

Cross-Account Roles (recommended)

In this approach, instead of using keys and secrets, nullplatform employs Amazon roles. These roles allow you to grant access to specific resources in another AWS account, ensuring that only authorized services (such as nullplatform instances) can connect to AWS.

Nullplatform defines unique roles for each component, which need to be trusted in your AWS account. The roles are as follows:

ComponentNullplatform Role
Application Managementarn:aws:iam::283477532906:role/application_manager
Telemetryarn:aws:iam::283477532906:role/telemetry_manager
Scope & Deployment Managerarn:aws:iam::283477532906:role/scope_and_deploy_manager

To configure this authentication mode, the required NRN keys are:

  • Application Management:

    • aws.application_workflow_role
    • (optional) aws.application_workflow_role_external_id

  • Telemetry:

    • aws.log_reader_role
    • (optional) aws.log_reader_role_external_id

  • Scope & Deployment Manager:

    • aws.scope_workflow_role
    • (optional) aws.scope_workflow_role_external_id

In all cases, the role is configured in your AWS account.

Granting access to multiple AWS accounts using an intermediate role

In scenarios involving multiple AWS accounts, an intermediate role can be used. Nullplatform first authenticates with the intermediate role, and then uses that role to authenticate with the required component role.

To configure this authentication mode, the required NRN keys are:

  • Application Management:

    • aws.application_workflow_role
    • aws.application_workflow_intermediate_role
    • (optional) aws.application_workflow_role_external_id
    • (optional) aws.application_workflow_intermediate_role_external_id

  • Telemetry:

    • aws.log_reader_role
    • aws.log_reader_intermediate_role
    • (optional) aws.log_reader_role_external_id
    • (optional) aws.log_reader_intermediate_role_external_id

  • Scope & Deployment Manager:

    • aws.scope_workflow_role
    • aws.scope_workflow_intermediate_role
    • (optional) aws.scope_workflow_role_external_id
    • (optional) aws.scope_workflow_intermediate_role_external_id

In all cases, the roles are configured in your AWS account.

Required permissions for each role/user

When a new nullplatform account is set up, our team configures these permissions:

  • Application management

    • ECR
      • ecr-public:BatchCheckLayerAvailability
      • ecr-public:PutImage
      • ecr-public:CompleteLayerUpload
      • ecr-public:UploadLayerPart
      • ecr-public:InitiateLayerUpload
      • ecr:GetDownloadUrlForLayer
      • ecr:BatchGetImage
      • ecr:CompleteLayerUpload
      • ecr:UploadLayerPart
      • ecr:InitiateLayerUpload
      • ecr:BatchCheckLayerAvailability
      • ecr:PutImage
      • ecr:CreateRepository
      • sts:GetServiceBearerToken
      • ecr:GetAuthorizationToken
      • ecr-public:GetAuthorizationToken

  • Telemetry:

    • ec2:DescribeInstances
    • cloudwatch:GetMetricData
    • cloudwatch:ListMetrics
    • logs:Describe*
    • logs:Get*
    • logs:List*
    • logs:StartQuery
    • logs:StopQuery
    • logs:TestMetricFilter
    • logs:FilterLogEvents

  • Scope & Deployment manager:

    • Lambda

      • lambda:CreateFunction
      • lambda:DeleteProvisionedConcurrencyConfig
      • lambda:GetFunctionConfiguration
      • lambda:ListProvisionedConcurrencyConfigs
      • lambda:GetProvisionedConcurrencyConfig
      • lambda:ListLayers
      • lambda:ListLayerVersions
      • lambda:DeleteFunction
      • lambda:GetAlias
      • lambda:ListCodeSigningConfigs
      • lambda:UpdateFunctionUrlConfig
      • lambda:CreateFunctionUrlConfig
      • lambda:UpdateFunctionEventInvokeConfig
      • lambda:DeleteFunctionCodeSigningConfig
      • lambda:InvokeFunctionUrl
      • lambda:ListFunctions
      • lambda:GetEventSourceMapping
      • apigateway:*
      • lambda:ListAliases
      • lambda:GetFunctionUrlConfig
      • lambda:GetFunctionCodeSigningConfig
      • lambda:UpdateAlias
      • lambda:UpdateFunctionCode
      • lambda:ListFunctionEventInvokeConfigs
      • lambda:PutRuntimeManagementConfig
      • lambda:ListFunctionsByCodeSigningConfig
      • lambda:GetFunctionConcurrency
      • lambda:PutProvisionedConcurrencyConfig
      • lambda:ListEventSourceMappings
      • lambda:PublishVersion
      • lambda:DeleteEventSourceMapping
      • lambda:CreateAlias
      • lambda:ListVersionsByFunction
      • lambda:GetLayerVersion
      • lambda:PublishLayerVersion
      • lambda:GetAccountSettings
      • lambda:CreateEventSourceMapping
      • lambda:GetLayerVersionPolicy
      • lambda:PutFunctionConcurrency
      • lambda:DeleteCodeSigningConfig
      • lambda:ListTags
      • lambda:AddPermission
      • lambda:TagResource
      • lambda:GetRuntimeManagementConfig
      • lambda:DeleteLayerVersion
      • lambda:PutFunctionEventInvokeConfig
      • lambda:DeleteFunctionEventInvokeConfig
      • lambda:CreateCodeSigningConfig
      • lambda:PutFunctionCodeSigningConfig
      • lambda:UpdateEventSourceMapping
      • lambda:UpdateFunctionCodeSigningConfig
      • lambda:GetFunction
      • lambda:UpdateFunctionConfiguration
      • lambda:ListFunctionUrlConfigs
      • lambda:UpdateCodeSigningConfig
      • lambda:GetFunctionEventInvokeConfig
      • lambda:DeleteAlias
      • lambda:DeleteFunctionConcurrency
      • lambda:GetCodeSigningConfig
      • lambda:DeleteFunctionUrlConfig
      • lambda:GetPolicy

    • Balancer

      • ec2:DescribeAccountAttributes
      • ec2:DescribeAddresses
      • ec2:DescribeInternetGateways
      • ec2:DescribeSecurityGroups
      • ec2:DescribeSubnets
      • ec2:DescribeVpcs
      • ec2:DescribeVpcClassicLink
      • ec2:DescribeInstances
      • ec2:DescribeNetworkInterfaces
      • ec2:DescribeClassicLinkInstances
      • ec2:DescribeRouteTables
      • ec2:DescribeCoipPools
      • ec2:GetCoipPoolUsage
      • ec2:DescribeVpcPeeringConnections
      • cognito-idp:DescribeUserPoolClient
      • arc-zonal-shift:*

    • Autoscaling

      • ec2:DescribeAccountAttributes
      • ec2:DescribeAvailabilityZones
      • ec2:DescribeImages
      • ec2:DescribeInstanceAttribute
      • ec2:DescribeInstances
      • ec2:DescribeKeyPairs
      • ec2:DescribeLaunchTemplateVersions
      • ec2:DescribePlacementGroups
      • ec2:DescribeSecurityGroups
      • ec2:DescribeSpotInstanceRequests
      • ec2:DescribeSubnets
      • ec2:DescribeVpcClassicLink
      • ec2:RunInstances
      • ec2:CreateTags
      • ec2:CreateLaunchTemplate
      • ec2:CreateLaunchTemplateVersion
      • ec2:DeleteLaunchTemplate
      • ec2:DeleteLaunchTemplateVersions
      • ec2:DeleteTags

    • Route53

      • route53:CreateHostedZone
      • route53:ChangeResourceRecordSets
      • route53:ListResourceRecordSets
      • route53domains:*

    • ECR

      • ecr:DescribeImages
      • ecr:DescribeRegistry
      • ecr:DescribeRepositories
      • ecr:GetDownloadUrlForLayer
      • ecr:ListImages
      • ecr:GetAuthorizationToken
      • ecr:BatchGetImage

    • S3 (for parameters)

      • s3:PutObject
      • s3:PutObjectAcl
      • s3:PutObjectVersionAcl
      • s3:PutObject
      • s3:PutObjectAcl
      • s3:PutObjectVersionAcl
      • s3:GetObject

    • Secrets (for parameters)

      • secretsmanager:GetSecretValue