Skip to content

Use IAM role instead of user credentials

Note

This feature requires Tower 21.06.0 or later.

AWS-based customers can configure Tower to interact with other AWS Services like Batch using an IAM Role rather than providing IAM User credentials.

Configure the Tower IAM policy#

Assumptions in Provided Policies

The provided policies were designed with certain assumptions:

  1. IAM Policy: Tower and Nextflow should have whole access to identified S3 Buckets.
  2. Trust Policy: The Role should be assumable by EC2, ECS, EKS, and only specifically-named IAM actors.

You may wish to limit S3 access to specific prefixes, and/or Role assumption to more specific Platforms.

Create a custom IAM Policy (Tower-Role-Policy.json).

Click to view custom Tower-Role-Policy.json 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "TowerForgePermissions",
             "Effect": "Allow",
             "Action": [
                 "ssm:GetParameters",
                 "iam:CreateInstanceProfile",
                 "iam:DeleteInstanceProfile",
                 "iam:GetRole",
                 "iam:RemoveRoleFromInstanceProfile",
                 "iam:CreateRole",
                 "iam:DeleteRole",
                 "iam:AttachRolePolicy",
                 "iam:PutRolePolicy",
                 "iam:AddRoleToInstanceProfile",
                 "iam:PassRole",
                 "iam:DetachRolePolicy",
                 "iam:ListAttachedRolePolicies",
                 "iam:DeleteRolePolicy",
                 "iam:ListRolePolicies",
                 "batch:CreateComputeEnvironment",
                 "batch:DescribeComputeEnvironments",
                 "batch:CreateJobQueue",
                 "batch:DescribeJobQueues",
                 "batch:UpdateComputeEnvironment",
                 "batch:DeleteComputeEnvironment",
                 "batch:UpdateJobQueue",
                 "batch:DeleteJobQueue",
                 "fsx:DeleteFileSystem",
                 "fsx:DescribeFileSystems",
                 "fsx:CreateFileSystem",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeLaunchTemplates",
                 "ec2:DescribeLaunchTemplateVersions",
                 "ec2:CreateLaunchTemplate",
                 "ec2:DeleteLaunchTemplate",
                 "ec2:DescribeKeyPairs",
                 "ec2:DescribeVpcs",
                 "ec2:DescribeInstanceTypeOfferings",
                 "elasticfilesystem:DescribeMountTargets",
                 "elasticfilesystem:CreateMountTarget",
                 "elasticfilesystem:CreateFileSystem",
                 "elasticfilesystem:DescribeFileSystems",
                 "elasticfilesystem:DeleteMountTarget",
                 "elasticfilesystem:DeleteFileSystem",
                 "elasticfilesystem:UpdateFileSystem",
                 "elasticfilesystem:PutLifecycleConfiguration"
             ],
             "Resource": "*"
         },
         {
             "Sid": "TowerLaunchPermissions",
             "Effect": "Allow",
             "Action": [
                 "batch:DescribeJobQueues",
                 "batch:CancelJob",
                 "batch:SubmitJob",
                 "batch:ListJobs",
                 "batch:DescribeComputeEnvironments",
                 "batch:TerminateJob",
                 "batch:DescribeJobs",
                 "batch:RegisterJobDefinition",
                 "batch:DescribeJobDefinitions",
                 "ecs:DescribeTasks",
                 "ec2:DescribeInstances",
                 "ec2:DescribeInstanceTypes",
                 "ec2:DescribeInstanceAttribute",
                 "ecs:DescribeContainerInstances",
                 "ec2:DescribeInstanceStatus",
                 "ec2:DescribeImages",
                 "logs:Describe*",
                 "logs:Get*",
                 "logs:List*",
                 "logs:StartQuery",
                 "logs:StopQuery",
                 "logs:TestMetricFilter",
                 "logs:FilterLogEvents"
             ],
             "Resource": "*"
         },
         {
             "Sid": "BucketPolicy01",
             "Effect": "Allow",
             "Action": [
                 "s3:ListAllMyBuckets",
                 "s3:ListBucket",
                 "s3:GetBucketLocation"
             ],
             "Resource": [
                 "*"
             ]
         },
         {
             "Sid": "BucketPolicy02",
             "Effect": "Allow",
             "Action": [
                 "s3:*Object*"
             ],
             "Resource": [
                 "arn:aws:s3:::YOUR-BUCKET-01/*",
                 "arn:aws:s3:::YOUR-BUCKET-02/*"
             ]
         }
     ]
 }
  1. Modify BucketPolicy01 and BucketPolicy02 with the name(s) of the your S3 Buckets.
  2. Revise (if necessary) the scope of access to a specific prefix in the S3 bucket(s).

Modify the Tower IAM Role Trust Policy (optional)#

Review and modify the Role Trust Policy (Tower-Role-Trust-Policy.json).

Click to view Tower-Role-Trust-Policy 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "ec2.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "ecs-tasks.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "eks.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       },
       {
         "Sid": "AllowEc2AssumeRole",
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::YOUR-AWS-ACCOUNT:USER-OR-ROLE/USER-OR-ROLE-ID"
         },
         "Action": "sts:AssumeRole"
       }
     ]
 }

  1. Replace YOUR-AWS-ACCOUNT with your own AWS Account Id.

  2. Specify the Users and/or Roles able to assume the Tower IAM Role.

Create the IAM artefacts#

Create the IAM Artefacts in your AWS Account.

  1. Navigate to the folder containing your configured IAM documents:
1
2
3
```bash
cd <FOLDER_WITH_YOUR_CONFIGURED_IAM_DOCUMENTS>
```
  1. Create the Role:
1
2
3
```bash
aws iam create-role --role-name Tower-Role --assume-role-policy-document file://Tower-Role-Trust-Policy.json
```
  1. Create an inline policy for the Role:
1
2
3
```bash
aws iam put-role-policy --role-name Tower-Role --policy-name Tower-Role-Policy --policy-document file://Tower-Role-Policy.json
```
  1. Create an instance profile:
1
2
3
```bash
aws iam create-instance-profile --instance-profile-name Tower-Instance
```
  1. Bind the Role to the instance profile:
1
2
3
```bash
aws iam add-role-to-instance-profile --instance-profile-name Tower-Instance --role-name Tower-Role
```

Configure Tower#

With the IAM artefacts complete, update your Tower application configuration:

  1. Add the following entry to your tower.env
1
2
3
```env
TOWER_ALLOW_INSTANCE_CREDENTIALS=true
```

  1. Restart the Tower application.

  2. Verify that the change took effect by querying the Tower instance service-info endpoint:

1
2
3
```bash
curl -X GET "https://YOUR-TOWER-DOMAIN/api/service-info" -H "Accept: application/json" | jq ".serviceInfo.allowInstanceCredentials"
```

  1. Log in to Tower and create a new AWS credential. You are now prompted for an AWS arn instead of access keys.

    Before Change:

    After Change:

Back to top