rundeck-ec2-nodes-plugin icon indicating copy to clipboard operation
rundeck-ec2-nodes-plugin copied to clipboard
verified publisher icon rundeck-plugins

Document what IAM permissions are required

Open systeminsightsbuild opened this issue 9 years ago • 5 comments

I see you now support an instance IAM role. Very nice. But what permissions are required to be in the policy?

systeminsightsbuild avatar Mar 12 '16 05:03 systeminsightsbuild

The only API call the plugin makes is DescribeInstances, so I believe you would only need to allow the ec2:DescribeInstances action.

gschueler avatar Mar 14 '16 18:03 gschueler

@gschueler Could you please show example how to configure it to use IAM role?

I always get:

Caused by: com.amazonaws.AmazonServiceException:
User: arn:aws:sts::XXXXX:assumed-role/rundeck/i-12345678 is not authorized to perform: 
sts:AssumeRole on resource: arn:aws:iam::XXXXX:role/rundeck
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
 Request ID: 573e7a77-fc55-11e5-b29a-XXXXXXXXXXXX)

This is my role:

arn:aws:iam::XXXXXX:role/rundeck

This is how policy for that role looks like:

{
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeVpcs",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:SetInstanceHealth",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

adubkov avatar Apr 07 '16 00:04 adubkov

@blacked are you trying to do "assumeRole" ? there are two different "role" behaviors:

  1. Using an IAM role assigned to the Rundeck ec2 instance, which grants it authorization to query ec2
    • When you create your ec2 instance hosting Rundeck server, be sure to assign it to an IAM role
  2. Using "Assume Role ARN" config value which attempts to assume another granted role when querying ec2
    • take a look at this comment for some more info https://github.com/rundeck-plugins/rundeck-ec2-nodes-plugin/issues/37#issuecomment-187022214

gschueler avatar Apr 07 '16 00:04 gschueler

@gschueler Now it works! But in my case it was same account, that's why I was surprised that I need explicitly allow it. An example with boto it works natively, I'm able run my tools without that part:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",

        "AWS": [
          "arn:aws:iam::ACCOUNT_A:role/ec2-rundeck",
        ]
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

adubkov avatar Apr 07 '16 00:04 adubkov

@gschueler can you please update the README.md to document the fact that ec2.DescribeInstances is the only policy action required.

macropin avatar Mar 04 '19 00:03 macropin