Invalid Region Error when Uploading Image - AWS permissions related
Closed this issue · 5 comments
Description
Hello, I am working with ops for a CI job, where I am trying to restrict access to only the required resources. However, I am encountering an issue when attempting to upload the image to S3.
Error
Upon applying the policy, I get an error stating:
"region with name us-east-2 is invalid"
This issue does not occur when I switch back to an admin account, where everything works as expected.
Policy Configuration
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeInstanceRefreshes",
"autoscaling:StartInstanceRefresh",
"autoscaling:UpdateAutoScalingGroup",
"ec2:CancelImportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeImportImageTasks",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:ImportImage",
"ec2:ImportInstance",
"ec2:ImportSnapshot",
"ec2:ImportVolume",
"ec2:ModifyImageAttribute",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": "*"
}
]
}
VMImport Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::opsimage",
"arn:aws:s3:::opsimage/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
VMImport Trust
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vmie.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:Externalid": "vmimport"
}
}
}
]
}
I would appreciate any insight into what I might be doing wrong. Thanks in advance.
you're saying you have 2 aws users; one can basically do anything (and that works) and the other one is a ci user that you want locked down to just the minimum amount of permissions? and this is for an 'ops image create' ?
have you tried just doing a 'ops image list' to see if you can perform that before the upload? that might help verify that user is g2g for other operations and this is just the create it's failing on
it might be helpful to sprinkle some debugging output from https://github.com/nanovms/ops/blob/master/provider/aws/aws_image.go#L100 onwards to see what line exactly you are failing at
also, important to note that the aws provider doesn't upload through s3 anymore as we found it was much faster to import directly through as a snapshot
yes exactly. seems i need permissions for EBS then. does this mean BucketName is no longer required in CloudConfig? I will attempt the debugging steps you suggest and post findings.
it's not required for image creation anymore now but I believe it is still required for aux (non-base) volume creation
looks like DescribeRegions
was the cause of that specific error.
https://github.com/nanovms/ops/blob/master/provider/aws/aws.go#L101
FWIW this is what worked for me, im am only creating and uploading the image using ops, i am updating the launch template to use the new image and refreshing asg using the aws sdk, so some of the permissions are for that process not necessarily for the image upload, mostly the asg stuff.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:DescribeInstanceRefreshes",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateOrUpdateTags",
"autoscaling:StartInstanceRefresh",
"autoscaling:UpdateAutoScalingGroup",
"ebs:CompleteSnapshot",
"ebs:PutSnapshotBlock",
"ebs:StartSnapshot",
"ec2:CopyImage",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateTags",
"ec2:DeleteSnapshot",
"ec2:DescribeImages",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeRegions",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DeregisterImage",
"ec2:GetLaunchTemplateData",
"ec2:ImportSnapshot",
"ec2:ModifyLaunchTemplate",
"ec2:RegisterImage",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"iam:GetRole",
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}