Open andre-lfa opened 6 months ago
@d-helios @gmizrahi @annastuchlik Hey folks, more and more customers are being hit by this issue. Any ETA to update the documentation?
I could do the change myself but I think someone from the Cloud team should review the entire AMI policy.
Add the "ec2:CreateVpcEndpoint" action in the AWS credentials section. It would be good to also review the entire AMI policy to avoid other possible issues related to AWS credentials.
I've opened a PR to add ec2:CreateVpcEndpoint
as we know it is missing. However, the PR will not close this issue because I agree with the above suggestion that the entire policy should be reviewed in case something else is missing.
@gmizrahi @d-helios @mixellent Can you assign someone from the Cloud team to this task?
@d-helios - can you pick this up or delegate ?
all policies are described here
list of all actions:
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances"
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
"ec2:DetachInternetGateway",
"ec2:DeleteSubnet",
"ec2:DeleteVpc"
"cloudformation:DeleteStack",
"cloudformation:CreateStack",
"cloudformation:Describe*",
"cloudformation:UpdateTerminationProtection"
"ec2:CreateKeyPair",
"ec2:ImportKeyPair",
"ec2:DeleteKeyPair",
"cloudformation:ValidateTemplate",
"ec2:Describe*",
"ec2:allocateAddress",
"ec2:associateAddress",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:ModifyVpcAttribute",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute",
"ec2:CreateRouteTable",
"ec2:AssociateRouteTable",
"ec2:CreateNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:CreateRoute",
"ec2:ReplaceRoute",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:ModifyInstanceAttribute",
"ec2:releaseAddress",
"ec2:disassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteInternetGateway",
"ec2:DeleteVpcEndpoints",
"ec2:CreateVpcPeeringConnection",
"ec2:AcceptVpcPeeringConnection",
"ec2:DeleteVpcPeeringConnection",
"ec2:GetConsoleOutput",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGateways"
"s3:CreateBucket",
"s3:PutBucketTagging"
"s3:ListBucket",
"s3:GetObject"
"s3:DeleteBucket",
"s3:DeleteObject"
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
"iam:PassRole",
"iam:ListAttachedRolePolicies",
"iam:DeleteRole",
"iam:TagRole"
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
"iam:CreatePolicy"
"iam:DeletePolicy",
"iam:TagPolicy"
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:TagInstanceProfile"
ec2:AssociateIamInstanceProfile
ec2:CreateVolume
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:DeleteVolume"
ec2:ModifyVolume
"iam:GetPolicy",
"iam:GetPolicyVersion"
"servicequotas:GetServiceQuota",
"servicequotas:GetAWSDefaultServiceQuota",
"cloudformation:DescribeAccountLimits",
"servicequotas:ListServiceQuotas",
"iam:ListInstanceProfiles"
"ec2:CreatePlacementGroup"
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups"
"ram:ListResources",
"ram:GetResourceShareInvitations",
"ram:GetResourceShares",
"ram:AcceptResourceShareInvitation"
Thanks! There are many inconsistencies with what is currently documented.
The following actions are missing in the docs. @d-helios Please add the purpose to each of them so that I can document them. The following purposes are available, but you can add another if needed.
Also, there are some actions documented, but are not listed in your comment above. Should they be removed?
@d-helios Could you help me fix the list of credentials by answering my questions in the previous comment?
Thanks! There are many inconsistencies with what is currently documented.
The following actions are missing in the docs. @d-helios Please add the purpose to each of them so that I can document them. The following purposes are available, but you can add another if needed.
- ScyllaDB cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy
- Create/Expand clusters
- Delete clusters
- Create a backup bucket on S3
- Grant each ScyllaDB instance access to its S3 backup bucket
- Validate that security policy is complete and up-to-date
- Operation activities
- ec2:CreateVpcEndpoint - 2.Create/Expand clusters
- ec2:ReplaceRoute
- ec2:DeleteVpcEndpoints
- ec2:CreateTransitGatewayVpcAttachment
- ec2:DeleteTransitGatewayVpcAttachment
- ec2:DescribeTransitGatewayVpcAttachments
- ec2:DescribeTransitGateways
- s3:PutBucketTagging
- iam:PassRole
- iam:TagRole
- iam:DeletePolicy
- iam:TagPolicy
- iam:CreateInstanceProfile
- iam:TagInstanceProfile
- ec2:AssociateIamInstanceProfile
- ec2:CreateVolume
- iam:ListInstanceProfiles
- ec2:CreatePlacementGrou
- ec2:DeletePlacementGroup
- ec2:DescribePlacementGroup
- ram:ListResources
- ram:GetResourceShareInvitations
- ram:GetResourceShares
- ram:AcceptResourceShareInvitation
Also, there are some actions documented, but are not listed in your comment above. Should they be removed?
- iam:PermissionsBoundary:arn:aws:iam::aaabbbccc:policy/ScyllaCloudBoundary - ScyllaDB cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy
- aws:RequestTag/Service:Scylla-Cloud - Create/Expand clusters
- Resource:arn:aws:iam::aaabbbccc:policy/ScyllaCloudBoundary - Delete clusters
- Resource:arn:aws:s3:::scylla-cloud-backup-* - Create a backup bucket on S3
- Resource:arn:aws:ec2:::security-group/* - Grant each ScyllaDB instance access to its S3 backup bucket
- Resource:arn:aws:iam:::role/s3-scylla-cloud-backup- Grant each ScyllaDB instance access to its S3 backup bucket
your comments looks good
Also, there are some actions documented, but are not listed in your comment above. Should they be removed?
no it should stay
your comments looks good
@d-helios OK, so I understand this is a correct list of actions. But where should I put them on the table? Which row? Create/Expand clusters? Delete clusters? Others? See https://cloud.docs.scylladb.com/master/cloud-setup/scylla-cloud-byoa#aws-credentials
Please add the info to each item:
Also, there are some actions documented, but are not listed in your comment above. Should they be removed?
no it should stay
Got it, thanks!
@d-helios @annastuchlik looks like the same premission list is used at least 3 times:
Maybe all 3 can use the same source?
it should be the same source for now we can create github repository and provide a link in the UI to this page idealy will be to give priority to https://github.com/scylladb/siren/issues/7281 but I believe it should be reviewed and some changes should be done to not repeat what @rjeczalik has in BYOK
for now we can create github repository and provide a link in the UI to this page
@d-helios Can we do it as a temporary solution before scylladb/siren#7281 if finalized? What can I do to help? The list of actions is outdated now, and it gets easily outdated when it's in the docs.
idealy will be to give priority to scylladb/siren#7281 but I believe it should be reviewed and some changes should be done to not repeat what @rjeczalik has in BYOK
I'm not sure about BYOK but if we are talking about siren (scylla cloud BYOA) the latest list of actions are here https://github.com/scylladb/siren/blob/78b1ceab36815b9107e389d4548933a0b8d5e129/cloud/provider/awsv2/policy/templates/cross.json.tmpl
and all this actions should be up to date.
To move on with this task, @dgarcia360 needs permissions to the https://github.com/scylladb/siren repository. https://github.com/dgarcia360
I would like to report an issue on page https://cloud.docs.scylladb.com/master/cloud-setup/scylla-cloud-byoa
Problem
The action
"ec2:CreateVpcEndpoint"
is missing in the AWS credentials section. This action is mandatory for BYOA customers to create new clusters.Suggest a fix
Add the
"ec2:CreateVpcEndpoint"
action in the AWS credentials section. It would be good to also review the entire AMI policy to avoid other possible issues related to AWS credentials.cc @d-helios @gmizrahi @noellymedina