Documentation of AWS Credentials to include necessary permission policies

[mstietencron]

The wiki documentation on "2.1 Managing cloud providers" should be extended to elaborate on the necessary permissions for the AWS Access Keys.

Under "Registering AWS account" > "Step 3" > "Credentials section" currently no information is given towards the necessary permissions for the access key, which leads to Root Access Keys being used as default. This cannot be best practice.

It should be updated to

1. create a user in the AWS IAM dashboard
2. attach limited permission policies to this user (detail the exact permission policy, e.g. "AmazonEC2FullAccess")
3. generate an access key pair for this user

[ankicabarisic]

Dear Moritz, it is not Activeeon who introduced the documentation regarding how to set up the cloud with cloud providers for NebulOuS.

we have this section on the specific process to create the recognizable images by SAL here: https://openproject.nebulouscloud.eu/projects/nebulous-collaboration-hub/wiki/aws-images-detected-by-sal

Maybe @robert-sanfeliu has a better idea of who is to create this documentation.

Regarding us please report the error if the Add Cloud will fail in SAL when you use the 'best practice' approach as you propose.

[mstietencron]

ok. thanks for clearing that up, @ankicabarisic. can you determine, which permission policies are needed for the AWS Access Key as a minimum? I guess SAL is the component using the access key...

[robert-sanfeliu]

@mstietencron indeed, SAL/Proactive is the one utilising the credentials to VMs on AWS.

[ankicabarisic]

@mstietencron @robert-sanfeliu Indeed it is one receiving the cloud credentials, and forwarding them to the JCloud adapter to handle the cloud initialization and deployment. However, this doesn't have anything to do with the documentation pointed out in this issue report.

We did not perform any detailed testing of the limited permission policies for the user, however, if it is to be a feature for Nebulous, there are two options:

• @robert-sanfeliu to create this task for us to support and test it extensively (can be under Cloud management feature)
• @mstietencron to test the user-specific policies adding limitations one by one, and in the case of a problem to report it as a bug

I would opt for the second approach as the list of wanted SAL/ProActive features is increasing and there is limited availability of time & resources, as @robert-sanfeliu mentioned during technical coordination it will not be possible to implement all required features.

[robert-sanfeliu]

I'll test it and document it.