Document what IAM permissions are required

rundeck-plugins / rundeck-ec2-nodes-plugin

Get resource node data from Amazon EC2

85 stars 45 forks source link

Document what IAM permissions are required #43

Open systeminsightsbuild opened 8 years ago

systeminsightsbuild commented 8 years ago

I see you now support an instance IAM role. Very nice. But what permissions are required to be in the policy?

gschueler commented 8 years ago

The only API call the plugin makes is DescribeInstances, so I believe you would only need to allow the ec2:DescribeInstances action.

adubkov commented 8 years ago

@gschueler Could you please show example how to configure it to use IAM role?

I always get:

Caused by: com.amazonaws.AmazonServiceException:
User: arn:aws:sts::XXXXX:assumed-role/rundeck/i-12345678 is not authorized to perform: 
sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/rundeck
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
 Request ID: 573e7a77-fc55-11e5-b29a-XXXXXXXXXXXX)

This is my role:

arn:aws:iam::XXXXXX:role/rundeck

This is how policy for that role looks like:

{
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:SetInstanceHealth",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

gschueler commented 8 years ago

@blacked are you trying to do "assumeRole" ? there are two different "role" behaviors:

Using an IAM role assigned to the Rundeck ec2 instance, which grants it authorization to query ec2
- When you create your ec2 instance hosting Rundeck server, be sure to assign it to an IAM role
Using "Assume Role ARN" config value which attempts to assume another granted role when querying ec2
- take a look at this comment for some more info https://github.com/rundeck-plugins/rundeck-ec2-nodes-plugin/issues/37#issuecomment-187022214

adubkov commented 8 years ago

@gschueler Now it works! But in my case it was same account, that's why I was surprised that I need explicitly allow it. An example with boto it works natively, I'm able run my tools without that part:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",

        "AWS": [
          "arn:aws:iam::ACCOUNT_A:role/ec2-rundeck",
        ]
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

macropin commented 5 years ago

@gschueler can you please update the README.md to document the fact that ec2.DescribeInstances is the only policy action required.