Context: I was going though Link to Amazon Web Services to create Swarms, in order to connect to my provider.
The role was created with success.
Then, while creating the policy, to associate to the role, a problem happened.
Problem:
An error occurred: Cannot exceed quota for PolicySize: 5120
As suggested by them, this is what I need to add in policy:
https://docs.docker.com/docker-for-aws/iam-permissions/
Did some research and people seem to like this solution:
https://github.com/docker/machine/issues/1655
How can I create the policy using the best method?
Noticing that the documentation in Docker is wrong - doesn't work in my case - what's the best method?
You are looking at the wrong instructions to connect docker-cloud to AWS follow these instructions: https://docs.docker.com/docker-cloud/infrastructure/link-aws/
It's the following 3 steps
Create AWS Policy for docker-cloud
Create a docker-cloud role and attache the policy from 1
Attach AWS role/account to docker-cloud
The policy in (1) above is pretty simple. It should be allowed to perform ec2 instances related actions (your screenshot of the policy looks like it doesn't provide ec2 permissions):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The role must have the permissions to implement the policy.
For a detailed post on the deployment via docker-cloud see: https://blog.geografia.com.au/how-we-are-using-docker-cloud-for-automated-testing-and-deployments-of-applications-bb87ec3173e7
Related
I am learning AWS and I have the following task in an online training course:
Configure the MongoDB VM as highly privileged – configure an instance
profile to the VM and add the permission “ec2:*” as a custom policy.
I am trying to work out what that means. Is the task asking for a role that enables the VM instance to have full control over all EC2 resources?
If I understand it correctly, then I think the following policy would implement it.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance"
}
]
}
My understanding is that this policy is saying any EC2 instance can perform any EC2 action. Is that right?
I would say you are almost correct. Roles are attached to individual services which means your particular VM can perform any Ec2 action on this resource arn:aws:ec2:*:*:instance.
There is a difference in saying any ec2 can perform ec2 action instead that ec2 instance can perform any ec2 action to which this role is attached.
I am following the AWS tutorial on how to set up the new video streaming product IVC https://docs.aws.amazon.com/ivs/latest/userguide/GSIVS.html
I set up a IAM user with the following permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ivs:CreateChannel"
],
"Resource": "*"
}
]
}
But when I try to create a channel with logged in as the above mentioned IAM user I get the error
ivs.AccessDeniedException:
User: arn:aws:iam::532654645459:user/alex-iam is not authorized to perform:
ivs:CreateChannel on resource: *
Am I missing something? Here are is screenshots for the policy setup.
(OP here) The solution that worked for me was to change the policy to grant all permissions to IVS for IAM user as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ivs:*"
],
"Resource": "*"
}
]
}
Everything worked fine afterward (create channels, list channels, view channels details).
To deal with this issue, best is to reach out to AWS Support Center via “Account and billing support”. For details about the case, select “Account” for the Type and “Other Account Issues” for the Category. As for the subject and description, please provide as many details about the error as possible, such as the error code above.
What could also be helpful is to (especially on a fresh AWS account) is to spin up p/ launch an EC2 instance (Micro or whatever) and spin it back down. Try using IVS after that and see if that helped.
What type of account are you using ( free tier, educate account)?
In educate account IAM users do no have access to some services. This might be on of the issues.
I have solved the problem by add policy to the lambda function
Go to the AWS IAM page and navigate to Role.
And then find the role for your lambda function and click add permission button
and create inline policy
There, you can create and attach policy to role.
as you written on above.
After that, your functions will work well
I'm trying to launch a test task in a ECS Fargate environment from the AWS console, but every time I try to launch it, I have the error:
Execution Role Failed creation of AmazonECSTaskExecutionRole
I supposed that it was a permissions error, so I asked the account owner (I am a IAM user of another account) to give me them, and now I do but still doesn't work.
My current permissions for ECS are:
AmazonECS_FullAccess
AmazonECSTaskExecutionRolePolicy
The worst thing is that AWS doesn't give any kind of information about this error. Anyone have an idea of how to make it work?
Thank you in advance!
You need the "iam:createRole" permission.
The solution is to add the "iam:createRole" permission.
To do that add this policy to your IAM Policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1469200763880",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I was having this same issue, it wasn't related to my permissions but rather the task setup trying to access an ECR image.
I needed to create a new IAM Role that gave ECS Task access to my ECR repo, then attach that Role to Execution Role ARN for the task definition. This fixed it for both CLI and Console creation for me.
I have n x EC2 instances that I wish to limit ec2 actions to instances with the same key/value tag (I.E. platform=dev).
I'm looking at doing this using an IAM Policy attached to the group their default IAM user is in.
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/tag:platform": "dev"
}
}
}
]}
I set this up as per the online AWS docs: Example Policies for Working With the AWS CLI or an AWS SDK
I check it in the Policy Simulator and it works as expected (pass in a dev and it's allowed, otherwise denied).
Then on one of the servers with the tag key/pair of platform=dev, I run aws ec2 describe-instances I get the response:
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
but if I remove the Condition it works. I don't understand what I'm doing wrong. Any help would be gratefully received!
The problem is that not every API Action & Resource will accept the ec2:ResourceTag/tag in the condition.
I think you're probably granting overly-broad permissions (Action: ec2:*), so figure out what actions your instances will need do, and then decide how to restrict them.
The list of actions, resources and conditions keys can be found at Supported Resource-Level Permissions for Amazon EC2 API Actions.
I have ran into this issue before, it had something to do with combining wildcards and conditions. What solved it for us was being more explicit on the action (e.g ["ec2:DescribeInstances"]), and on the resource as well (arn:aws:ec2:region:accountid:instance/*).
Here is what i want. I have a IAM user for whom i want to give read only access to a us-east-1 and that too only read metrics for particular ec2 instance. I have 3 instances runnning in us-east-1 but i want this user to have access to metrics of only 1 ec2 server.
I have written policy like below. which is giving access to all the metrics in all the region. I tried putting that instanceid in below code but it didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I dont understand what i am missing here.
In short, this is not possible, according to the Cloudwatch docs:
You can't use IAM to control access to CloudWatch data for specific
resources. For example, you can't give a user access to CloudWatch
data for only a specific set of instances or a specific LoadBalancer.
Permissions granted using IAM cover all the cloud resources you use
with CloudWatch.
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingIAM.html