Added policies

api/handlers_instances.go

@@ -444,7 +444,7 @@ func (s *server) InstanceSendCommandHandler(w http.ResponseWriter, r *http.Reque
 
 }
 
-func (s *server) InstanceIDHandler(w http.ResponseWriter, r *http.Request) {
+func (s *server) NotImplementedHandler(w http.ResponseWriter, r *http.Request) {
 	w = LogWriter{w}
 	w.WriteHeader(http.StatusNotImplemented)
 }
@@ -468,12 +468,17 @@ func (s *server) InstanceSSMAssociationHandler(w http.ResponseWriter, r *http.Re
 	}
 
 	role := fmt.Sprintf("arn:aws:iam::%s:role/%s", account, s.session.RoleName)
+	policy, err := ssmAssociationPolicy()
+	if err != nil {
+		handleError(w, err)
+		return
+	}
 
 	session, err := s.assumeRole(
 		r.Context(),
 		s.session.ExternalID,
 		role,
-		"",
+		policy,
 		"arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess",
 	)
 	if err != nil {
@@ -509,12 +514,15 @@ func (s *server) InstanceUpdateHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if len(req.Tags) == 0 && len(req.InstanceType) == 0 {
-		handleError(w, apierror.New(apierror.ErrBadRequest, "missing required fields", nil))
+		handleError(w, apierror.New(apierror.ErrBadRequest, "missing required fields: tags or instance_type", nil))
+		return
+	} else if len(req.Tags) > 0 && len(req.InstanceType) > 0 {
+		handleError(w, apierror.New(apierror.ErrBadRequest, "only one of these fields should be provided: tags or instance_type", nil))
 		return
 	}
 
 	role := fmt.Sprintf("arn:aws:iam::%s:role/%s", account, s.session.RoleName)
-	policy, err := tagCreatePolicy()
+	policy, err := instanceUpdatePolicy()
 	if err != nil {
 		handleError(w, err)
 		return

api/policy.go

@@ -290,3 +290,51 @@ func sendCommandPolicy() (string, error) {
 
 	return string(j), nil
 }
+
+func instanceUpdatePolicy() (string, error) {
+	log.Debugf("generating tag create policy document")
+	policy := iam.PolicyDocument{
+		Version: "2012-10-17",
+		Statement: []iam.StatementEntry{
+			{
+				Effect: "Allow",
+				Action: []string{
+					"ec2:CreateTags",
+					"ec2:ModifyInstanceAttribute",
+				},
+				Resource: []string{"*"},
+			},
+		},
+	}
+
+	j, err := json.Marshal(policy)
+	if err != nil {
+		return "", err
+	}
+
+	return string(j), nil
+}
+
+func ssmAssociationPolicy() (string, error) {
+	log.Debugf("generating tag create policy document")
+	policy := iam.PolicyDocument{
+		Version: "2012-10-17",
+		Statement: []iam.StatementEntry{
+			{
+				Effect: "Allow",
+				Action: []string{
+					"ssm:CreateAssociation",
+					"ssm:UpdateAssociation",
+				},
+				Resource: []string{"*"},
+			},
+		},
+	}
+
+	j, err := json.Marshal(policy)
+	if err != nil {
+		return "", err
+	}
+
+	return string(j), nil
+}

api/routes.go

@@ -65,7 +65,7 @@ func (s *server) routes() {
 	api.HandleFunc("/{account}/images", s.ProxyRequestHandler).Methods(http.MethodPost)
 
 	api.HandleFunc("/{account}/images/{id}/tags", s.ImageUpdateHandler).Methods(http.MethodPut)
-	api.HandleFunc("/{account}/instances/{id}", s.InstanceIDHandler).Methods(http.MethodPut)
+	api.HandleFunc("/{account}/instances/{id}", s.NotImplementedHandler).Methods(http.MethodPut)
 	api.HandleFunc("/{account}/instances/{id}/power", s.InstanceStateHandler).Methods(http.MethodPut)
 	api.HandleFunc("/{account}/instances/{id}/ssm/command", s.InstanceSendCommandHandler).Methods(http.MethodPut)
 	api.HandleFunc("/{account}/instances/{id}/ssm/association", s.InstanceSSMAssociationHandler).Methods(http.MethodPut)