Closed oalbrigt closed 8 months ago
@oalbrigt For auth_type
I would recommend the options to be key
or role
because on how IAM works. A policy goes into a role, and a role is attached to an EC2 instance (where pacemaker is running). A role can have "N" policies but an EC2 instance can have only one role, and effectively is the Role that grants the EC2 instance authorization and authentication to perform an API call.
@gguifelixamz Thanks. I've updated accordingly, and improved the logic, so region can be used even for profiles, and give an error if not set when using role authentication.
retest this please
retest this please
Tested by following https://github.com/ClusterLabs/resource-agents/pull/1899#issuecomment-1808882317 and updating .AWS/env/${AWS_PCS_ROLE_POLICY} to the following to make it work with all the agents:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances"
"ec2:RebootInstances",
"ec2:DescribeTags",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:DescribeAddresses",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:DescribeRouteTables",
"ec2:ReplaceRoute"
],
"Resource": "*"
}
]
}
Based on https://github.com/ClusterLabs/resource-agents/pull/1899