awsvip versus AWS Policy

[luke2261git]

Recommend changes to allow AWS Policy to manage awsvip and fence_aws resources within EC2.

example: pcs resource create vipaws awsvip aws_ip_region=us-east-1 profile=AWSPOLICY secondary_private_ip=10.0.1.100 --group aws

The policy below when attached to role/profile attached to EC2 allows fence_aws and awsvip resource to be managed via policy, no cli confguration need. The policy below can be more restrictive to specific EC2s. AWS Policy Json { "Version": "2012-10-17", "Statement": [ {
"Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:RebootInstances", "ec2:DescribeInstances", "ec2:StartInstances", "ec2:DescribeTags", "ec2:DescribeInstanceAttribute", "ec2:UnassignPrivateIpAddresses", "ec2:ModifyInstanceAttribute", "ec2:AssignPrivateIpAddresses", "ec2:StopInstances" ],
"Resource": "*" }
]
} awsvip.pcs.sh.txt

[gguifelixamz]

I'm sorry, I think we're missing some context here. Would you mind clarifying what are you suggesting/changing?

[luke2261git]

Currently you have to configure aws cli to use awsvip and fence_aws . This means you have to apply credentials to be able use awsvip and fence_aws. If you attach policies as noted above to the EC2, you can then use these agents without have to configure aws cli. AWS policies will control the access to these resources making it more secure . This also makes it possible to use cloud-init to automatically build PCS cluster in AWS, etc.

[luke2261git]

By using policy to control access AWS CLI, you do not need to incorporate your AWS credentials in your openshift configuration or within the EC2. To me this is a problem. I can control access to the PCS Fence with policy which is more secure, etc. Not to mention the risk of you're credentials being compromised.