Route53 ListHostedZones Permission?
3,192 views
Skip to first unread message
Sean Laurent
Mar 6, 2013, 8:36:02 PM3/6/13
to edda-...@googlegroups.com
I just pulled down the latest from GitHub and now I'm getting an exception:
2013-03-06 19:33:00.861 - ERROR - [StateMachine.scala:191] failed to handle event Crawl([Collection aws.hostedZones] refresher)
Status Code: 403, AWS Service: AmazonRoute53, AWS Request ID: f286990b-86c6-11e2-82e7-8d8c27c5bf45, AWS Error Code: AccessDenied, AWS Error Message: User: arn:aws:iam::123456789012:user/edda is not authorized to perform: route53:ListHostedZones
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:556)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:289)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:170)
at com.amazonaws.services.route53.AmazonRoute53Client.invoke(AmazonRoute53Client.java:635)
at com.amazonaws.services.route53.AmazonRoute53Client.listHostedZones(AmazonRoute53Client.java:294)
at com.netflix.edda.aws.AwsHostedZoneCrawler.doCrawl(AwsCrawlers.scala:622)
at com.netflix.edda.Crawler$$anonfun$localTransitions$1.apply(Crawler.scala:122)
at com.netflix.edda.Crawler$$anonfun$localTransitions$1.apply(Crawler.scala:110)
at scala.PartialFunction$$anon$1.apply(PartialFunction.scala:45)
at com.netflix.edda.StateMachine$$anonfun$act$1$$anonfun$apply$2$$anonfun$apply$3.apply(StateMachine.scala:188)
at com.netflix.edda.StateMachine$$anonfun$act$1$$anonfun$apply$2$$anonfun$apply$3.apply(StateMachine.scala:174)
at scala.actors.ReactorTask.run(ReactorTask.scala:31)
at scala.actors.Reactor$class.resumeReceiver(Reactor.scala:129)
at com.netflix.edda.StateMachine.scala$actors$ReplyReactor$$super$resumeReceiver(StateMachine.scala:93)
at scala.actors.ReplyReactor$class.resumeReceiver(ReplyReactor.scala:68)
at com.netflix.edda.StateMachine.resumeReceiver(StateMachine.scala:93)
at scala.actors.Actor$class.searchMailbox(Actor.scala:500)
at com.netflix.edda.StateMachine.searchMailbox(StateMachine.scala:93)
at scala.actors.Reactor$$anonfun$startSearch$1$$anonfun$apply$mcV$sp$1.apply$mcV$sp(Reactor.scala:117)
at scala.actors.Reactor$$anonfun$startSearch$1$$anonfun$apply$mcV$sp$1.apply(Reactor.scala:114)
at scala.actors.Reactor$$anonfun$startSearch$1$$anonfun$apply$mcV$sp$1.apply(Reactor.scala:114)
at scala.actors.ReactorTask.run(ReactorTask.scala:33)
at scala.concurrent.forkjoin.ForkJoinPool$AdaptedRunnable.exec(ForkJoinPool.java:611)
at scala.concurrent.forkjoin.ForkJoinTask.quietlyExec(ForkJoinTask.java:422)
at scala.concurrent.forkjoin.ForkJoinWorkerThread.mainLoop(ForkJoinWorkerThread.java:340)
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:325)
I thought I added the correct permission to the edda user in IAM, but it's still not working. Here's the snippet:
{
"Sid": "Stmt1362619254176",
"Action": [
"route53:ListHostedZones"
],
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/*"
]
}
Any advice?
-Sean
Cory Bennett
Mar 7, 2013, 1:49:44 PM3/7/13
to Sean Laurent, edda-...@googlegroups.com
> {
dont have enough experience manipulating IAM permissions myself.
There is another permission that will be needed also:
route53:ListResourceRecordSets
-Cory
On 13-03-06 17:36, Sean Laurent <organi...@gmail.com> wrote
> I *thought* I added the correct permission to the edda user in IAM, but
> "Sid": "Stmt1362619254176",
> "Action": [
> "route53:ListHostedZones"
> ],
> "Effect": "Allow",
> "Resource": [
> "arn:aws:route53:::hostedzone/*"
> ]
> }
This looks good to me. I am not sure what would be going wrong here. I
> "Action": [
> "route53:ListHostedZones"
> ],
> "Effect": "Allow",
> "Resource": [
> "arn:aws:route53:::hostedzone/*"
> ]
> }
dont have enough experience manipulating IAM permissions myself.
There is another permission that will be needed also:
route53:ListResourceRecordSets
-Cory
On 13-03-06 17:36, Sean Laurent <organi...@gmail.com> wrote
Sean Laurent
Mar 7, 2013, 2:11:00 PM3/7/13
to edda-...@googlegroups.com, Sean Laurent
Thanks. I was missing the ListResourceRecordSets permission, so I'll give that a shot.
{
"Sid": "Stmt1362619254176",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:route53:::hostedzone/*"
]
},
If that works, I'll submit a patch for the documentation.
-Sean
Sean Laurent
Mar 7, 2013, 2:28:36 PM3/7/13
to edda-...@googlegroups.com, Sean Laurent
Nope. Still not working:
2013-03-07 13:27:29.311 - ERROR - [StateMachine.scala:191] failed to handle event Crawl([Collection aws.hostedZones] refresher)
Status Code: 403, AWS Service: AmazonRoute53, AWS Request ID: 0ce887a3-875d-11e2-bb8d-2bfd74e136ea, AWS Error Code: AccessDenied, AWS Error Message: User: arn:aws:iam::123456789012:user/edda is not authorized to perform: route53:ListHostedZones
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:556)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:289)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:170)
at com.amazonaws.services.route53.AmazonRoute53Client.invoke(AmazonRoute53Client.java:635)
at com.amazonaws.services.route53.AmazonRoute53Client.listHostedZones(AmazonRoute53Client.java:294)
at com.netflix.edda.aws.AwsHostedZoneCrawler.doCrawl(AwsCrawlers.scala:622)
Hrmph.
-S
Cory Bennett
Mar 7, 2013, 5:50:18 PM3/7/13
to Sean Laurent, edda-...@googlegroups.com
I am not sure what is wrong with your setup. I played around a bit
today to set up an Edda group on my personal AWS account with this policy:
{
"Statement": [{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeReservedInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"s3:ListBucket",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"iam:ListAccessKeys",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListGroupPolicies",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices"
],
"Effect": "Allow",
"Resource": "*"
}]
}
It seems to work for me.
-Cory
On 13-03-07 11:28, Sean Laurent <organi...@gmail.com> wrote
today to set up an Edda group on my personal AWS account with this policy:
{
"Statement": [{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeReservedInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies",
"cloudwatch:DescribeAlarms",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"s3:ListBucket",
"sqs:ListQueues",
"sqs:GetQueueAttributes",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"iam:ListAccessKeys",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListGroupPolicies",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices"
],
"Effect": "Allow",
"Resource": "*"
}]
}
It seems to work for me.
-Cory
On 13-03-07 11:28, Sean Laurent <organi...@gmail.com> wrote
Cory Bennett
Mar 7, 2013, 5:53:06 PM3/7/13
to Sean Laurent, edda-...@googlegroups.com
Forgot to mention, the iam permissions are not needed for the master
branch, but will be recommended when this pull request gets merged in:
https://github.com/Netflix/edda/pull/8
-Cory
On 13-03-07 14:50, Cory Bennett <cben...@netflix.com> wrote
branch, but will be recommended when this pull request gets merged in:
https://github.com/Netflix/edda/pull/8
-Cory
On 13-03-07 14:50, Cory Bennett <cben...@netflix.com> wrote
Sean Laurent
Mar 7, 2013, 6:21:44 PM3/7/13
to edda-...@googlegroups.com, Sean Laurent
Strange. I replaced my IAM policy with your simpler policy and everything works now.
I don't understand what was different, but I'm not going to argue with success. :)
Thanks!
-S
Cory Bennett
Mar 7, 2013, 6:43:13 PM3/7/13
to Sean Laurent, edda-...@googlegroups.com
Okay, good news. The only thing I can think of is the Resource didnt
match, but that does not really make sense.
I updated the wiki with the new permissions and the example policy
documnent:
https://github.com/Netflix/edda/wiki/AWS-Permissions
-Cory
On 13-03-07 15:21, Sean Laurent <organi...@gmail.com> wrote
> > On 13-03-07 11:28, Sean Laurent <organi...@gmail.com <javascript:>> wrote
match, but that does not really make sense.
I updated the wiki with the new permissions and the example policy
documnent:
https://github.com/Netflix/edda/wiki/AWS-Permissions
-Cory
On 13-03-07 15:21, Sean Laurent <organi...@gmail.com> wrote
Reply all
Reply to author
Forward
0 new messages