From fba20567c0301d48361959a87aefa7d2e0c72815 Mon Sep 17 00:00:00 2001
From: Chris Sinjakli <csinjakli@gmail.com>
Date: Fri, 5 Aug 2022 14:49:38 +0100
Subject: [PATCH] Document permissions needed for `ec2_sd_configs` (#11119)

Currently, it's not explicitly called out which permissions are needed
for service discovery of EC2 instances. It's not super hard to figure
out, but it did involve a bit of guesswork when I did it yesterday, and
I figure it's worth saving people that effort.

I've also seen examples around the internet where people are granting
much broader permissions than they need to, so maybe we can save on that
by explicitly saying what's needed.

Signed-off-by: Chris Sinjakli <chris@sinjakli.co.uk>
---
 docs/configuration/configuration.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md
index cd8b388c35..6e45dbfc6a 100644
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@@ -993,6 +993,11 @@ EC2 SD configurations allow retrieving scrape targets from AWS EC2
 instances. The private IP address is used by default, but may be changed to
 the public IP address with relabeling.
 
+The IAM credentials used must have the `ec2:DescribeInstances` permission to
+discover scrape targets, and may optionally have the
+`ec2:DescribeAvailabilityZones` permission if you want the availability zone ID
+available as a label (see below).
+
 The following meta labels are available on targets during [relabeling](#relabel_config):
 
 * `__meta_ec2_ami`: the EC2 Amazon Machine Image