Skip to content

Use IAM role instead of user credentials

AWS-based customers can configure Tower to interact with other AWS Services like Batch using an IAM Role rather than providing IAM User credentials.

Note

This feature requires Tower v21.06 or later.

Configure the Tower IAM Policy#

Assumptions in Provided Policies

The provided policies were designed with certain assumptions:

  1. IAM Policy: Tower and Nextflow should have whole access to identified S3 Buckets.
  2. Trust Policy: The Role should be assumable by EC2, ECS, EKS, and only specifically-named IAM actors.

You may wish to limit S3 access to specific prefixes, and/or Role assumption to more specific Platforms.

Create a custom IAM Policy (Tower-Role-Policy.json).

Click to view custom Tower-Role-Policy.json
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "TowerForgePermissions",
             "Effect": "Allow",
             "Action": [
                 "ssm:GetParameters",
                 "iam:CreateInstanceProfile",
                 "iam:DeleteInstanceProfile",
                 "iam:GetRole",
                 "iam:RemoveRoleFromInstanceProfile",
                 "iam:CreateRole",
                 "iam:DeleteRole",
                 "iam:AttachRolePolicy",
                 "iam:PutRolePolicy",
                 "iam:AddRoleToInstanceProfile",
                 "iam:PassRole",
                 "iam:DetachRolePolicy",
                 "iam:ListAttachedRolePolicies",
                 "iam:DeleteRolePolicy",
                 "iam:ListRolePolicies",
                 "batch:CreateComputeEnvironment",
                 "batch:DescribeComputeEnvironments",
                 "batch:CreateJobQueue",
                 "batch:DescribeJobQueues",
                 "batch:UpdateComputeEnvironment",
                 "batch:DeleteComputeEnvironment",
                 "batch:UpdateJobQueue",
                 "batch:DeleteJobQueue",
                 "fsx:DeleteFileSystem",
                 "fsx:DescribeFileSystems",
                 "fsx:CreateFileSystem",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeLaunchTemplates",
                 "ec2:DescribeLaunchTemplateVersions",
                 "ec2:CreateLaunchTemplate",
                 "ec2:DeleteLaunchTemplate",
                 "ec2:DescribeKeyPairs",
                 "ec2:DescribeVpcs",
                 "ec2:DescribeInstanceTypeOfferings",
                 "elasticfilesystem:DescribeMountTargets",
                 "elasticfilesystem:CreateMountTarget",
                 "elasticfilesystem:CreateFileSystem",
                 "elasticfilesystem:DescribeFileSystems",
                 "elasticfilesystem:DeleteMountTarget",
                 "elasticfilesystem:DeleteFileSystem",
                 "elasticfilesystem:UpdateFileSystem",
                 "elasticfilesystem:PutLifecycleConfiguration"
             ],
             "Resource": "*"
         },
         {
             "Sid": "TowerLaunchPermissions",
             "Effect": "Allow",
             "Action": [
                 "batch:DescribeJobQueues",
                 "batch:CancelJob",
                 "batch:SubmitJob",
                 "batch:ListJobs",
                 "batch:DescribeComputeEnvironments",
                 "batch:TerminateJob",
                 "batch:DescribeJobs",
                 "batch:RegisterJobDefinition",
                 "batch:DescribeJobDefinitions",
                 "ecs:DescribeTasks",
                 "ec2:DescribeInstances",
                 "ec2:DescribeInstanceTypes",
                 "ec2:DescribeInstanceAttribute",
                 "ecs:DescribeContainerInstances",
                 "ec2:DescribeInstanceStatus",
                 "ec2:DescribeImages",
                 "logs:Describe*",
                 "logs:Get*",
                 "logs:List*",
                 "logs:StartQuery",
                 "logs:StopQuery",
                 "logs:TestMetricFilter",
                 "logs:FilterLogEvents"
             ],
             "Resource": "*"
         },
         {
             "Sid": "BucketPolicy01",
             "Effect": "Allow",
             "Action": [
                 "s3:ListAllMyBuckets",
                 "s3:ListBucket",
                 "s3:GetBucketLocation"
             ],
             "Resource": [
                 "*"
             ]
         },
         {
             "Sid": "BucketPolicy02",
             "Effect": "Allow",
             "Action": [
                 "s3:*Object*"
             ],
             "Resource": [
                 "arn:aws:s3:::YOUR-BUCKET-01/*",
                 "arn:aws:s3:::YOUR-BUCKET-02/*"
             ]
         }
     ]
 }
  1. Modify BucketPolicy01 and BucketPolicy02 with the name(s) of the your S3 Buckets.
  2. Revise (if necessary) the scope of access to a specific prefix in the S3 bucket(s).

Modify the Tower IAM Role Trust Policy (Optional)#

Review and modify the Role Trust Policy (Tower-Role-Trust-Policy.json).

Click to view Tower-Role-Trust-Policy
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "ec2.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "ecs-tasks.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "eks.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Sid": "AllowEc2AssumeRole",
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::YOUR-AWS-ACCOUNT:USER-OR-ROLE/USER-OR-ROLE-ID"
         },
         "Action": "sts:AssumeRole"
       }
     ]
 }
  1. Replace YOUR-AWS-ACCOUNT with your own AWS Account Id.

  2. Specify the Users and/or Roles able to assume the Tower IAM Role.

Create the IAM Artefacts#

Create the IAM Artefacts in your AWS Account.

  1. Navigate to the folder containing your configured IAM documents:

    1
    cd <FOLDER_WITH_YOUR_CONFIGURED_IAM_DOCUMENTS>
    

  2. Create the Role:

    1
    aws iam create-role --role-name Tower-Role --assume-role-policy-document file://Tower-Role-Trust-Policy.json
    

  3. Create an inline policy for the Role:

    1
    aws iam put-role-policy --role-name Tower-Role --policy-name Tower-Role-Policy --policy-document file://Tower-Role-Policy.json
    

  4. Create an instance profile:

    1
    aws iam create-instance-profile --instance-profile-name Tower-Instance
    

  5. Bind the Role to the instance profile:

    1
    aws iam add-role-to-instance-profile --instance-profile-name Tower-Instance --role-name Tower-Role
    

Configure the Tower Application#

With the IAM artefacts complete, update your Tower application configuration:

  1. Add the following entry to your tower.env

    1
    TOWER_ALLOW_INSTANCE_CREDENTIALS=true
    

  2. Restart the Tower application.

  3. Verify that the change took effect by querying the Tower instance service-info endpoint:

    1
    curl -X GET "https://YOUR-TOWER-DOMAIN/api/service-info" -H "Accept: application/json" | jq ".serviceInfo.allowInstanceCredentials"
    

  4. Log in to Tower and create a new AWS credential. You are now prompted for an AWS arn instead of access keys.

    Before Change:

    After Change:

Back to top