Link to permissions

README.Rmd

@@ -41,7 +41,8 @@ Please see <https://wlandau.github.io/crew.aws.batch/> for documentation, includ
 
 1. Understand [AWS Batch](https://aws.amazon.com/batch/) and its [official documentation](https://aws.amazon.com/batch/).
 2. Your [job definitions](https://docs.aws.amazon.com/batch/latest/userguide/job_definitions.html) must each have [Docker](https://www.docker.com/)-compatible container image with R and `crew.aws.batch` installed. You may wish to inherit from an existing [rocker](https://github.com/rocker-org/rocker-versioned2) image.
-3. In the [compute environment](https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html), the [security group](https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html) must permit all inbound and outbound TCP traffic within itself.^[If you already know the TCP port you will supply to `port` argument of `crew_controller_aws_batch()`, you can restrict the port range to only use that port number.] The controller and the workers must run in this security group so they can communicate within the firewalled local network.^[Please read about the [risks](https://wlandau.github.io/crew/articles/risks.html) and keep TLS encryption turned on (default: `tls = crew_tls(mode = "automatic")`). Please understand and comply with all the security policies of your organization.] If your security group ID is `sg-00000` and belongs to [VPC](https://aws.amazon.com/vpc/) `vpc-00000`, then your inbound and outbound rules may look something like this:
+3. At minimum, for the launcher plugin to work, your [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) need permission to [submit](https://docs.aws.amazon.com/batch/latest/APIReference/API_SubmitJob.html) and [terminate](https://docs.aws.amazon.com/batch/latest/APIReference/API_TerminateJob.html) jobs. To appropriately monitor jobs, your policies also need permission to [list](https://docs.aws.amazon.com/batch/latest/APIReference/API_ListJobs.html) and [describe](https://docs.aws.amazon.com/batch/latest/APIReference/API_DescribeJobs.html) jobs. In addition, managing job definitions as described below requires permission to [register](https://docs.aws.amazon.com/batch/latest/APIReference/API_RegisterJobDefinition.html), [deregister](https://docs.aws.amazon.com/batch/latest/APIReference/API_DeregisterJobDefinition.html), and [describe](https://docs.aws.amazon.com/batch/latest/APIReference/API_DescribeJobDefinitions.html) job definitions. To view [CloudWatch](https://aws.amazon.com/cloudwatch/) logs, you need permission to [get log events](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html).
+4. In the [compute environment](https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html), the [security group](https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html) must permit all inbound and outbound TCP traffic within itself.^[If you already know the TCP port you will supply to `port` argument of `crew_controller_aws_batch()`, you can restrict the port range to only use that port number.] The controller and the workers must run in this security group so they can communicate within the firewalled local network.^[Please read about the [risks](https://wlandau.github.io/crew/articles/risks.html) and keep TLS encryption turned on (default: `tls = crew_tls(mode = "automatic")`). Please understand and comply with all the security policies of your organization.] If your security group ID is `sg-00000` and belongs to [VPC](https://aws.amazon.com/vpc/) `vpc-00000`, then your inbound and outbound rules may look something like this:
 
 ![](./man/figures/inbound.png)
 

README.md

@@ -48,7 +48,28 @@ comes with a set of special requirements:
     container image with R and `crew.aws.batch` installed. You may wish
     to inherit from an existing
     [rocker](https://github.com/rocker-org/rocker-versioned2) image.
-3.  In the [compute
+3.  At minimum, for the launcher plugin to work, your [IAM
+    policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
+    need permission to
+    [submit](https://docs.aws.amazon.com/batch/latest/APIReference/API_SubmitJob.html)
+    and
+    [terminate](https://docs.aws.amazon.com/batch/latest/APIReference/API_TerminateJob.html)
+    jobs. To appropriately monitor jobs, your policies also need
+    permission to
+    [list](https://docs.aws.amazon.com/batch/latest/APIReference/API_ListJobs.html)
+    and
+    [describe](https://docs.aws.amazon.com/batch/latest/APIReference/API_DescribeJobs.html)
+    jobs. In addition, managing job definitions as described below
+    requires permission to
+    [register](https://docs.aws.amazon.com/batch/latest/APIReference/API_RegisterJobDefinition.html),
+    [deregister](https://docs.aws.amazon.com/batch/latest/APIReference/API_DeregisterJobDefinition.html),
+    and
+    [describe](https://docs.aws.amazon.com/batch/latest/APIReference/API_DescribeJobDefinitions.html)
+    job definitions. To view
+    [CloudWatch](https://aws.amazon.com/cloudwatch/) logs, you need
+    permission to [get log
+    events](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_GetLogEvents.html).
+4.  In the [compute
     environment](https://docs.aws.amazon.com/batch/latest/userguide/compute_environments.html),
     the [security
     group](https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html)