Currently, galera manager requires AWS access id and secret key. Using AWS root account is very bad security practice. So we must create an AWS IAM user. Recommendations are to use the principle of least privilege to make secure IAM roles and access permissions.
AWS IAM with MFA and multiple users makes it difficult to fine tune AWS permissions. AWS recommendation is to assign a IAM role to an instance (the galera manager instance for example) which gives the instance periodic permissions to resources you define. But this would then require galera manager to be changed so that it uses AWS API endpoint to request access id and secret key (or something like that).
I've managed to deduce most of the permissions required through trial and error, by creating a new IAM user specifically for galera manager and assigning various IAM EC2 read and write permissions to it, then reading the deployment logs to find which specific AWS permission has failed.. However, this is still not ideal as currently, I'm not able to isolate exactly which resources or instances the galera manager has permission to interact with.
I think this might be solved by restricting EC2 IAM permissions to specific AWS Tags but I haven't yet tried this or worked out how to do it.
Currently, galera manager requires AWS access id and secret key. Using AWS root account is very bad security practice. So we must create an AWS IAM user. Recommendations are to use the principle of least privilege to make secure IAM roles and access permissions.
AWS IAM with MFA and multiple users makes it difficult to fine tune AWS permissions. AWS recommendation is to assign a IAM role to an instance (the galera manager instance for example) which gives the instance periodic permissions to resources you define. But this would then require galera manager to be changed so that it uses AWS API endpoint to request access id and secret key (or something like that).
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html?icmpid=docs_iam_console https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role
I've managed to deduce most of the permissions required through trial and error, by creating a new IAM user specifically for galera manager and assigning various IAM EC2 read and write permissions to it, then reading the deployment logs to find which specific AWS permission has failed.. However, this is still not ideal as currently, I'm not able to isolate exactly which resources or instances the galera manager has permission to interact with.
I think this might be solved by restricting EC2 IAM permissions to specific AWS Tags but I haven't yet tried this or worked out how to do it.