search

rundeck-plugins / rundeck-ec2-nodes-plugin

Get resource node data from Amazon EC2
85 stars 45 forks source link

Is the `AmazonEC2FullAccess` policy sufficient? #60

Closed vicnik closed 7 years ago

vicnik commented 7 years ago

Hi,

Rundeck does not manage to pull the list of available EC2 instances until I associate the AdministratorAccess policy with the role that is attached to the EC2 instance that runs Rundeck.

I started by associating the AmazonEC2FullAccess policy with the EC2 instance that runs Rundeck, and supplied the Role ARN value arn:aws:iam::777788889999:role/rundeck of the same policy in rundeck-ec2-nodes-plugin's Assume Role ARN configuration field.

Next, I tried attaching a custom policy, based on the content found here

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:SetInstanceHealth",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

However, the nodes are still not displayed.

The nodes appear only after I attach the AdministratorAccess policy to the role.

Shouldn't the AmazonEC2FullAccess policy be enough? If it is enough, what could I be doing wrong?

Thank you

vn

gschueler commented 7 years ago

supplied the Role ARN value arn:aws:iam::777788889999:role/rundeck of the same policy in rundeck-ec2-nodes-plugin's Assume Role ARN configuration field

I think you are incorrectly setting the Assume Role ARN field.

If you simply want to use the IAM profile role for the ec2 instance, do not set that field.

gschueler commented 7 years ago

Otherwise, if you do want to assume another role, then the profile role requires the sts:assumeRole action.

hth

vicnik commented 7 years ago

Hi,

I think you are incorrectly setting the Assume Role ARN field. If you simply want to use the IAM profile role for the ec2 instance, do not set that field.

That was it! Thank you so much!

The policy from #43 works.