JSON Policy looks to be wrong

Question

JSON Policy looks to be wrong

Closed this issue 5 months ago · 5 comments

gabrieltokyo commented 6 months ago

Page URL

https://docs.netapp.com/us-en/bluexp-setup-admin/task-install-connector-aws-bluexp.html

Page title

Create a Connector in AWS from BlueXP

Summary

Hi Team I see we have added new permissions to the JSON policy that are not reflected in the document.

Looking in the BlueXP Connector creation on-screen instructions I was able to understand we added:
ec2:DescribeAvailabilityZones
cloudformation:ListStacks

After some troubleshooting I also realized that below 3 policies were also necessary (not documented here, neither on the BlueXP on-screen instructions):
ec2:CreateLaunchTemplate
ec2:DeleteLaunchTemplate
ec2:DescribeLaunchTemplates

With those new 5 policies I was able to succeed in my BlueXP Connector deployment but I am not sure if those 5 suffice and we may need more depending on the actions performed. So it would be good to reach out the product team and verify the correct policy set for BlueXP Connector deployment.

Also would be good to inform them that the Connector creation Wizard screen also don't show the correct policies.

Regards,
Gabriel

Public issues must not contain sensitive information

This issue contains no sensitive information.

Answer 1 · 2024-03-18T17:11:51.000Z

An issue has been raised with the product team. I can update the documentation when I hear back from them.

Thanks,
Ben

Answer 2 · 2024-03-21T19:00:15.000Z

We just received feedback that the following permissions might be needed as well:

"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:CreateGrant",
"ssm:ListAssociations"

Engineering is investigating.

Answer 3 · 2024-03-27T05:50:34.000Z

Thank you for sharing, will be looking into updates.

Answer 4 · 2024-04-08T19:33:28.000Z

The policy in the docs has been updated after receiving input from engineering.
https://docs.netapp.com/us-en/bluexp-setup-admin/task-install-connector-aws-bluexp.html#step-2-set-up-aws-permissions

In summary, the following two permissions are now required due to the recent IMDSv2 changes:
"ec2:DescribeLaunchTemplates",
"ec2:CreateLaunchTemplate",

Engineering determined that ec2:DeleteLaunchTemplate is not required.

I also added a few permissions that were in the on-screen instructions but weren't in the docs (those must have been added sometime in the past).

The two new permissions that I mentioned above will be updated in the on-screen instructions soon. The release notes will be updated when that happens.

Thanks,
Ben

Answer 5 · 2024-04-10T06:55:32.000Z

Thank you Ben!