Home / server / Questions / 449367
Accepted
Andrei Mikhaltsov
Asked: 2012-11-17 03:04:23 +0800 CST

What permissions in IAM do i need to start EC2 instances with chef knife?

  • 772

Q1: I am trying to create user in IAM AWS console that has restricted permissions only to start new instances using knife ec2 method. Currently only full access with policy "Amazon EC2 Full access" works. Creating user and granting start/stop instances and describe images does not work.

Q2: How i can debug this 

ERROR: Fog::Compute::AWS::Error: UnauthorizedOperation => You are not authorized to perform this operation.

and trace down which exactly permission do i need. (-V -V -V didnt work)

amazon-ec2

4 Answers

  1. Best Answer

    Q1: I had to debug knife-ec2 gem in order to find out the minimal IAM permissions required to start an EC2 instance. Here is the minimal policy:

    {
  "Statement": [
    {
      "Sid": "Stmt123",
      "Action": [
        "ec2:RunInstances",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeImages",
        "ec2:CreateTags",
        "ec2:DescribeTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

    Please note the Sid should be unique.

    Q2: My knowledge of Ruby is quite limited so possibly there is not convenient way for debugging. Personally I used binding.pry as a debugger. Please refer to the following article for more info.

    • 7

  2. You will need to allow RunInstances.

    • 3

  3. I had to allow access in IAM to the user of which we are using "Access Key Id" and "Secret Access Key"

    • 0

  4. The policy I came up with is:

        "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateTags",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAddresses"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": <You should list the roles you want to be able to create here
 or use '*' but that is dangerous because if it allows for privilege escalation>
        }
    ]
}

    I think it might depend on exactly what features/options you use of knife ec2 create. I tried the policy from the other answer (with iam:PassRole and some extra polices) but was getting hit specifically on ec2:DescribeAddress.

    You can see why your role failed to do something by checking out my ButtTrail logs.

    • 0