search

nanovms / ops

ops - build and run nanos unikernels
https://ops.city
MIT License
1.3k stars 132 forks source link

Invalid Region Error when Uploading Image - AWS permissions related #1467

Closed JonathonJulian closed 1 year ago

JonathonJulian commented 1 year ago

Description

Hello, I am working with ops for a CI job, where I am trying to restrict access to only the required resources. However, I am encountering an issue when attempting to upload the image to S3.

Error

Upon applying the policy, I get an error stating:

"region with name us-east-2 is invalid"

This issue does not occur when I switch back to an admin account, where everything works as expected.

Policy Configuration

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeInstanceRefreshes",
                "autoscaling:StartInstanceRefresh",
                "autoscaling:UpdateAutoScalingGroup",
                "ec2:CancelImportTask",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:DeregisterImage",
                "ec2:DescribeImages",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:ImportImage",
                "ec2:ImportInstance",
                "ec2:ImportSnapshot",
                "ec2:ImportVolume",
                "ec2:ModifyImageAttribute",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": "*"
        }
    ]
}

VMImport Permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::opsimage",
                "arn:aws:s3:::opsimage/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

VMImport Trust

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "vmie.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:Externalid": "vmimport"
                }
            }
        }
    ]
}

I would appreciate any insight into what I might be doing wrong. Thanks in advance.

eyberg commented 1 year ago

you're saying you have 2 aws users; one can basically do anything (and that works) and the other one is a ci user that you want locked down to just the minimum amount of permissions? and this is for an 'ops image create' ?

have you tried just doing a 'ops image list' to see if you can perform that before the upload? that might help verify that user is g2g for other operations and this is just the create it's failing on

it might be helpful to sprinkle some debugging output from https://github.com/nanovms/ops/blob/master/provider/aws/aws_image.go#L100 onwards to see what line exactly you are failing at

also, important to note that the aws provider doesn't upload through s3 anymore as we found it was much faster to import directly through as a snapshot

JonathonJulian commented 1 year ago

yes exactly. seems i need permissions for EBS then. does this mean BucketName is no longer required in CloudConfig? I will attempt the debugging steps you suggest and post findings.

eyberg commented 1 year ago

it's not required for image creation anymore now but I believe it is still required for aux (non-base) volume creation

JonathonJulian commented 1 year ago

looks like DescribeRegions was the cause of that specific error. https://github.com/nanovms/ops/blob/master/provider/aws/aws.go#L101

JonathonJulian commented 1 year ago

FWIW this is what worked for me, im am only creating and uploading the image using ops, i am updating the launch template to use the new image and refreshing asg using the aws sdk, so some of the permissions are for that process not necessarily for the image upload, mostly the asg stuff.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:DescribeInstanceRefreshes",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:StartInstanceRefresh",
                "autoscaling:UpdateAutoScalingGroup",
                "ebs:CompleteSnapshot",
                "ebs:PutSnapshotBlock",
                "ebs:StartSnapshot",
                "ec2:CopyImage",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:CreateTags",
                "ec2:DeleteSnapshot",
                "ec2:DescribeImages",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeRegions",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DeregisterImage",
                "ec2:GetLaunchTemplateData",
                "ec2:ImportSnapshot",
                "ec2:ModifyLaunchTemplate",
                "ec2:RegisterImage",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}