Example process for an AWS pull request failing with CI from authentication in CI

gistfile1.txt

* Step 1, run the tests which will output the minimum actions that must be permitted by the policy
For an example I'm using abbreviated ec2_group tests (which already are a part of Ansible)

(python3.6.4) 14:33:08 [ansible]$ ansible-test integration unstable/ec2_group
... test output ...
PLAY RECAP *******************************************************************************************************************************
testhost                   : ok=156  changed=51   unreachable=0    failed=0    skipped=8    rescued=0    ignored=10

AWS ACTIONS: ['ec2:AuthorizeSecurityGroupEgress', 'ec2:AuthorizeSecurityGroupIngress', 'ec2:CreateSecurityGroup', 'ec2:CreateTags', 'ec2:CreateVpc', 'ec2:DeleteSecurityGroup', 'ec2:DeleteTags', 'ec2:DeleteVpc', 'ec2:DescribeSecurityGroups', 'ec2:DescribeTags', 'ec2:DescribeVpcAttribute', 'ec2:DescribeVpcClassicLink', 'ec2:DescribeVpcs', 'ec2:ModifyVpcAttribute', 'ec2:RevokeSecurityGroupEgress', 'ec2:RevokeSecurityGroupIngress', 'ec2:UpdateSecurityGroupRuleDescriptionsEgress', 'ec2:UpdateSecurityGroupRuleDescriptionsIngress', 'sts:GetCallerIdentity']

* Step 2, use the list of 'AWS ACTIONS' at the end of the test run to create a policy. This policy can be created traditionally by referencing https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start and the IAM documentation for each service (in this case ec2 and sts) or by using the hacking/aws_config/build_iam_policy_framework.py script I've added. I'm going to do the latter which will spit out a json policy for me:

(python3.6.4) 14:38:53 [ansible]$ python hacking/aws_config/build_iam_policy_framework.py ['ec2:AuthorizeSecurityGroupEgress', 'ec2:AuthorizeSecurityGroupIngress', 'ec2:CreateSecurityGroup', 'ec2:CreateTags', 'ec2:CreateVpc', 'ec2:DeleteSecurityGroup', 'ec2:DeleteTags', 'ec2:DeleteVpc', 'ec2:DescribeSecurityGroups', 'ec2:DescribeTags', 'ec2:DescribeVpcAttribute', 'ec2:DescribeVpcClassicLink', 'ec2:DescribeVpcs', 'ec2:ModifyVpcAttribute', 'ec2:RevokeSecurityGroupEgress', 'ec2:RevokeSecurityGroupIngress', 'ec2:UpdateSecurityGroupRuleDescriptionsEgress', 'ec2:UpdateSecurityGroupRuleDescriptionsIngress', 'sts:GetCallerIdentity']

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AnsibleEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress"
            ],
            "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}"
        },
        {
            "Sid": "AnsibleEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteTags",
                "ec2:DeleteVpc",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeTags",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcs",
                "ec2:ModifyVpcAttribute",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Now I'll update the variables in that policy (${Region}, ${Account}, and ${SecurityGroupId}).

* Step 3, add the policy to my AWS user or role and remove any other permissions. The point of this is to see verify that the tests can pass. There are some troubleshooting steps if this fails. If not using the slower, iterative approach this is often the thing that takes the longest.

* Step 4, once tests pass add the policy in a comment to the pull request so an Ansible dev with access to the CI repository can apply it.