search

scylladb / scylladb-cloud-doc-issues

A repo for Scylla Cloud docs issues
https://cloud.docs.scylladb.com/stable/
1 stars 1 forks source link

docs: Issue in page Deploy ScyllaDB Cloud to Your Own AWS Account #13

Open andre-lfa opened 6 months ago

andre-lfa commented 6 months ago

I would like to report an issue on page https://cloud.docs.scylladb.com/master/cloud-setup/scylla-cloud-byoa

Problem

The action "ec2:CreateVpcEndpoint" is missing in the AWS credentials section. This action is mandatory for BYOA customers to create new clusters.

Suggest a fix

Add the "ec2:CreateVpcEndpoint" action in the AWS credentials section. It would be good to also review the entire AMI policy to avoid other possible issues related to AWS credentials.

cc @d-helios @gmizrahi @noellymedina

andre-lfa commented 3 months ago

@d-helios @gmizrahi @annastuchlik Hey folks, more and more customers are being hit by this issue. Any ETA to update the documentation?

I could do the change myself but I think someone from the Cloud team should review the entire AMI policy.

annastuchlik commented 3 months ago

Add the "ec2:CreateVpcEndpoint" action in the AWS credentials section. It would be good to also review the entire AMI policy to avoid other possible issues related to AWS credentials.

I've opened a PR to add ec2:CreateVpcEndpoint as we know it is missing. However, the PR will not close this issue because I agree with the above suggestion that the entire policy should be reviewed in case something else is missing.

@gmizrahi @d-helios @mixellent Can you assign someone from the Cloud team to this task?

gmizrahi commented 3 months ago

@d-helios - can you pick this up or delegate ?

d-helios commented 3 months ago

all policies are described here

https://github.com/scylladb/siren/blob/51bcc02edfbc7311db85491523ccfa206faa18d2/cloud/provider/awsv2/policy/templates/cross.json.tmpl

list of all actions:

                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances",
                "ec2:RebootInstances"
                "ec2:DeleteSecurityGroup",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress"
                "ec2:DetachInternetGateway",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc"
                "cloudformation:DeleteStack",
                "cloudformation:CreateStack",
                "cloudformation:Describe*",
                "cloudformation:UpdateTerminationProtection"
                "ec2:CreateKeyPair",
                "ec2:ImportKeyPair",
                "ec2:DeleteKeyPair",
                "cloudformation:ValidateTemplate",
                "ec2:Describe*",
                "ec2:allocateAddress",
                "ec2:associateAddress",
                "ec2:CreateInternetGateway",
                "ec2:AttachInternetGateway",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:ModifySubnetAttribute",
                "ec2:CreateRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:CreateNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:CreateRoute",
                "ec2:ReplaceRoute",
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:releaseAddress",
                "ec2:disassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteVpcEndpoints",
                "ec2:CreateVpcPeeringConnection",
                "ec2:AcceptVpcPeeringConnection",
                "ec2:DeleteVpcPeeringConnection",
                "ec2:GetConsoleOutput",
                "ec2:CreateTransitGatewayVpcAttachment",
                "ec2:DeleteTransitGatewayVpcAttachment",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeTransitGateways"
                "s3:CreateBucket",
                "s3:PutBucketTagging"
                "s3:ListBucket",
                "s3:GetObject"
                "s3:DeleteBucket",
                "s3:DeleteObject"
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy"
                "iam:PassRole",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRole",
                "iam:TagRole"
                "iam:CreatePolicyVersion",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:SetDefaultPolicyVersion"
                "iam:CreatePolicy"
                "iam:DeletePolicy",
                "iam:TagPolicy"
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:TagInstanceProfile"
                ec2:AssociateIamInstanceProfile
                ec2:CreateVolume
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume"
                ec2:ModifyVolume
                "iam:GetPolicy",
                "iam:GetPolicyVersion"
                "servicequotas:GetServiceQuota",
                "servicequotas:GetAWSDefaultServiceQuota",
                "cloudformation:DescribeAccountLimits",
                "servicequotas:ListServiceQuotas",
                "iam:ListInstanceProfiles"
                "ec2:CreatePlacementGroup"
                "ec2:DeletePlacementGroup",
                "ec2:DescribePlacementGroups"
                "ram:ListResources",
                "ram:GetResourceShareInvitations",
                "ram:GetResourceShares",
                "ram:AcceptResourceShareInvitation"
annastuchlik commented 3 months ago

Thanks! There are many inconsistencies with what is currently documented.

The following actions are missing in the docs. @d-helios Please add the purpose to each of them so that I can document them. The following purposes are available, but you can add another if needed.

  1. ScyllaDB cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy
  2. Create/Expand clusters
  3. Delete clusters
  4. Create a backup bucket on S3
  5. Grant each ScyllaDB instance access to its S3 backup bucket
  6. Validate that security policy is complete and up-to-date
  7. Operation activities

Also, there are some actions documented, but are not listed in your comment above. Should they be removed?

annastuchlik commented 3 months ago

@d-helios Could you help me fix the list of credentials by answering my questions in the previous comment?

d-helios commented 3 months ago

Thanks! There are many inconsistencies with what is currently documented.

The following actions are missing in the docs. @d-helios Please add the purpose to each of them so that I can document them. The following purposes are available, but you can add another if needed.

  1. ScyllaDB cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy
  2. Create/Expand clusters
  3. Delete clusters
  4. Create a backup bucket on S3
  5. Grant each ScyllaDB instance access to its S3 backup bucket
  6. Validate that security policy is complete and up-to-date
  7. Operation activities
  • ec2:CreateVpcEndpoint - 2.Create/Expand clusters
  • ec2:ReplaceRoute
  • ec2:DeleteVpcEndpoints
  • ec2:CreateTransitGatewayVpcAttachment
  • ec2:DeleteTransitGatewayVpcAttachment
  • ec2:DescribeTransitGatewayVpcAttachments
  • ec2:DescribeTransitGateways
  • s3:PutBucketTagging
  • iam:PassRole
  • iam:TagRole
  • iam:DeletePolicy
  • iam:TagPolicy
  • iam:CreateInstanceProfile
  • iam:TagInstanceProfile
  • ec2:AssociateIamInstanceProfile
  • ec2:CreateVolume
  • iam:ListInstanceProfiles
  • ec2:CreatePlacementGrou
  • ec2:DeletePlacementGroup
  • ec2:DescribePlacementGroup
  • ram:ListResources
  • ram:GetResourceShareInvitations
  • ram:GetResourceShares
  • ram:AcceptResourceShareInvitation

Also, there are some actions documented, but are not listed in your comment above. Should they be removed?

  • iam:PermissionsBoundary:arn:aws:iam::aaabbbccc:policy/ScyllaCloudBoundary - ScyllaDB cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy
  • aws:RequestTag/Service:Scylla-Cloud - Create/Expand clusters
  • Resource:arn:aws:iam::aaabbbccc:policy/ScyllaCloudBoundary - Delete clusters
  • Resource:arn:aws:s3:::scylla-cloud-backup-* - Create a backup bucket on S3
  • Resource:arn:aws:ec2:::security-group/* - Grant each ScyllaDB instance access to its S3 backup bucket
  • Resource:arn:aws:iam:::role/s3-scylla-cloud-backup- Grant each ScyllaDB instance access to its S3 backup bucket

your comments looks good

Also, there are some actions documented, but are not listed in your comment above. Should they be removed?

no it should stay

annastuchlik commented 2 months ago

your comments looks good

@d-helios OK, so I understand this is a correct list of actions. But where should I put them on the table? Which row? Create/Expand clusters? Delete clusters? Others? See https://cloud.docs.scylladb.com/master/cloud-setup/scylla-cloud-byoa#aws-credentials

Please add the info to each item:

Also, there are some actions documented, but are not listed in your comment above. Should they be removed?

no it should stay

Got it, thanks!

tzach commented 2 months ago

@d-helios @annastuchlik looks like the same premission list is used at least 3 times:

Maybe all 3 can use the same source?

d-helios commented 2 months ago

it should be the same source for now we can create github repository and provide a link in the UI to this page idealy will be to give priority to https://github.com/scylladb/siren/issues/7281 but I believe it should be reviewed and some changes should be done to not repeat what @rjeczalik has in BYOK

annastuchlik commented 2 months ago

for now we can create github repository and provide a link in the UI to this page

@d-helios Can we do it as a temporary solution before scylladb/siren#7281 if finalized? What can I do to help? The list of actions is outdated now, and it gets easily outdated when it's in the docs.

idealy will be to give priority to scylladb/siren#7281 but I believe it should be reviewed and some changes should be done to not repeat what @rjeczalik has in BYOK

d-helios commented 2 months ago

I'm not sure about BYOK but if we are talking about siren (scylla cloud BYOA) the latest list of actions are here https://github.com/scylladb/siren/blob/78b1ceab36815b9107e389d4548933a0b8d5e129/cloud/provider/awsv2/policy/templates/cross.json.tmpl

and all this actions should be up to date.

annastuchlik commented 4 weeks ago

To move on with this task, @dgarcia360 needs permissions to the https://github.com/scylladb/siren repository. https://github.com/dgarcia360