f5-aws-cloudformation icon indicating copy to clipboard operation
f5-aws-cloudformation copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

IAM role required updates to include EC2:DescribeSubnets for failover to work

Open bohanson opened this issue 3 years ago • 1 comments

Summary

IAM role required updates to include EC2:DescribeSubnets for failover to work

Detail

We used this template to deploy a pair of devices, however, we want to update routes upon failover between F5 devices.

This section of the template appears to be missing a required permission. It's possible that something changed in the underlying cloud, of course.

Upon failover our route table was not updated, despite having the correct tags. We saw an error message in /var/log/restnoded/restnoded.log that indicated an error because permission of EC2:DescribeSubnets was missing.

We manually updated the IAM role that was created by the template to include this permission, and then failover and update of route table was successful.

Can we have this permission added to the IAM role that is created? I see that it is already included in our documentation

Workaround

After deploying CFT, update the IAM role manually.

bohanson avatar Mar 25 '22 14:03 bohanson

@bohanson Thanks for the report, EC2:DescribeSubnets will be included in the next release of the templates (ETA is next week).

mikeshimkus avatar Mar 25 '22 15:03 mikeshimkus

Closing. This issue was resolved with Release 5.15.0.

shyawnkarim avatar Oct 11 '22 16:10 shyawnkarim