JSON Policy looks to be wrong
Closed this issue · 5 comments
Page URL
https://docs.netapp.com/us-en/bluexp-setup-admin/task-install-connector-aws-bluexp.html
Page title
Create a Connector in AWS from BlueXP
Summary
Hi Team I see we have added new permissions to the JSON policy that are not reflected in the document.
Looking in the BlueXP Connector creation on-screen instructions I was able to understand we added:
ec2:DescribeAvailabilityZones
cloudformation:ListStacks
After some troubleshooting I also realized that below 3 policies were also necessary (not documented here, neither on the BlueXP on-screen instructions):
ec2:CreateLaunchTemplate
ec2:DeleteLaunchTemplate
ec2:DescribeLaunchTemplates
With those new 5 policies I was able to succeed in my BlueXP Connector deployment but I am not sure if those 5 suffice and we may need more depending on the actions performed. So it would be good to reach out the product team and verify the correct policy set for BlueXP Connector deployment.
Also would be good to inform them that the Connector creation Wizard screen also don't show the correct policies.
Regards,
Gabriel
Public issues must not contain sensitive information
- This issue contains no sensitive information.
An issue has been raised with the product team. I can update the documentation when I hear back from them.
Thanks,
Ben
We just received feedback that the following permissions might be needed as well:
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey",
"kms:CreateGrant",
"ssm:ListAssociations"
Engineering is investigating.
Thank you for sharing, will be looking into updates.
The policy in the docs has been updated after receiving input from engineering.
https://docs.netapp.com/us-en/bluexp-setup-admin/task-install-connector-aws-bluexp.html#step-2-set-up-aws-permissions
In summary, the following two permissions are now required due to the recent IMDSv2 changes:
"ec2:DescribeLaunchTemplates",
"ec2:CreateLaunchTemplate",
Engineering determined that ec2:DeleteLaunchTemplate is not required.
I also added a few permissions that were in the on-screen instructions but weren't in the docs (those must have been added sometime in the past).
The two new permissions that I mentioned above will be updated in the on-screen instructions soon. The release notes will be updated when that happens.
Thanks,
Ben
Thank you Ben!