Open systeminsightsbuild opened 8 years ago
The only API call the plugin makes is DescribeInstances, so I believe you would only need to allow the ec2:DescribeInstances
action.
@gschueler Could you please show example how to configure it to use IAM role?
I always get:
Caused by: com.amazonaws.AmazonServiceException:
User: arn:aws:sts::XXXXX:assumed-role/rundeck/i-12345678 is not authorized to perform:
sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/rundeck
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
Request ID: 573e7a77-fc55-11e5-b29a-XXXXXXXXXXXX)
This is my role:
arn:aws:iam::XXXXXX:role/rundeck
This is how policy for that role looks like:
{
"Statement": [
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"autoscaling:SetDesiredCapacity",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:SetInstanceHealth",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
@blacked are you trying to do "assumeRole" ? there are two different "role" behaviors:
@gschueler Now it works! But in my case it was same account, that's why I was surprised that I need explicitly allow it. An example with boto
it works natively, I'm able run my tools without that part:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": [
"arn:aws:iam::ACCOUNT_A:role/ec2-rundeck",
]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
},
"Action": "sts:AssumeRole"
}
]
}
@gschueler can you please update the README.md
to document the fact that ec2.DescribeInstances
is the only policy action required.
I see you now support an instance IAM role. Very nice. But what permissions are required to be in the policy?