README.md in fluent-plugin-ec2-metadata-0.0.4 vs README.md in fluent-plugin-ec2-metadata-0.0.5
- old
+ new
@@ -55,14 +55,51 @@
* ${instance_id} instance id
* ${instance_type} instance type
* ${availability_zone} availability zone
* ${region} region
-The followings are available when you define `aws_key_id` and `aws_sec_key`:
+The followings are available when you define `aws_key_id` and `aws_sec_key`(or define IAM Policy):
* ${vpc_id} vpc id
* ${subnet_id} subnet id
* ${tagset_xxx} EC2 tag (e.g. tagset_name is replaced by the value of Key = Name)
+
+The following is an example for a minimal IAM policy needed to ReadOnlyAccess to EC2.
+
+```
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": "ec2:Describe*",
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": "elasticloadbalancing:Describe*",
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "cloudwatch:ListMetrics",
+ "cloudwatch:GetMetricStatistics",
+ "cloudwatch:Describe*"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": "autoscaling:Describe*",
+ "Resource": "*"
+ }
+ ]
+}
+```
+
+Refer to the {AWS documentation}[http://docs.aws.amazon.com/IAM/latest/UserGuide/ExampleIAMPolicies.html] for example policies.
+Using {IAM roles}[http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html] with a properly configured IAM policy are preferred over embedding access keys on EC2 instances.
## Contributing
1. Fork it
2. Create your feature branch (`git checkout -b my-new-feature`)