search

QT-DevOps / AWSIssues

Issues with AWS
Apache License 2.0
3 stars 26 forks source link

IAM policy issue #94

Closed gyana210 closed 4 years ago

gyana210 commented 4 years ago

when i am creating IAM policy for a specific ec2 instance with start,stop and terminate ,it is showing

This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "arn:aws:ec2:us-east-2a:70927400572094:instance/i-ahg5753bss4y" } ] }

srmanikanta commented 4 years ago

hi gyana create a policy and then create a user and attach this policy to that user. This is the policy for your requirement

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": [
                "arn:aws:ec2:<regionname>:<accountid>:instance/<instanceid>"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "Test"
                }
            }
        }
    ]
}

Note: arn:aws:ec2:<regionname>:<accountid>:instance/<instanceid> change the region name, accountid and instance which you want to give a access to a user.

gyana210 commented 4 years ago

Hi mani, According your policy,its not working ,its showing same problem,but when i put * in the place of accountid and instance id,its showing policy is right.but this is not my requirement...

On Tue, May 5, 2020, 6:28 PM srmanikanta notifications@github.com wrote:

hi gyana create a policy and then create a user and attach this policy to that user. This is the policy for your requirement

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe", "Resource": "" }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": [ "arn:aws:ec2:::instance/" ], "Condition": { "StringEquals": { "ec2:ResourceTag/Name": "Test" } } } ] }

Note: arn:aws:ec2:::instance/ change the region name, accountid and instance which you eant to give a access to a user.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/QT-DevOps/AWSIssues/issues/94#issuecomment-624039446, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN5C35KS637YNB3I4OESGO3RQAEOHANCNFSM4MYGCTNA .

srmanikanta commented 4 years ago

hi gyana I tried the above things it is working fine please check don't add administrator permission and don't use * in instance just mention instance(particular Instance id)

please provide this informataion correctly

"Resource": [
                "arn:aws:ec2:<regionname>:<accountid>:instance/<instanceid>"

one more thing 

"Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "Test"

provide the tag name which you are created if you are not create a tag just go to instance settings and add a new tag in my case the key name is Name and value is Test please cross check all the things because it is working

I thinks it is useful to you if not please ignore.

gyana210 commented 4 years ago

Good Morning Mani, its working,actually i did a very silly mistake,in the place of region,i was giving AZ,so for that reason ,it was throwing error message.

                               Thanks for replying...

On Wed, May 6, 2020 at 7:23 AM srmanikanta notifications@github.com wrote:

hi gyana I tried the above things it is working fine please check don't add administrator permission and don't use * in instance just mention instance(particular Instance id)

please provide this informataion correctly

"Resource": [ "arn:aws:ec2:::instance/"

one more thing

"Condition": { "StringEquals": { "ec2:ResourceTag/Name": "Test"

provide the tag name which you are created if you are not create a tag just go to instance settings and add a new tag in my case the key name is Name and value is Test please cross check all the things because it is working

I thinks it is useful to you if not please ignore.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/QT-DevOps/AWSIssues/issues/94#issuecomment-624668068, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN5C35O5J5NZ6ACSK363IJLRQFXFNANCNFSM4MYGCTNA .