IAM policy question

[thomas....@beatport.com]

Hi,

I'm trying to setup a minimal IAM policy. What I have works with `AmazonEC2FullAccess`. Currently I'm trying:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Action": [

                "ec2:*Instances",

                "ec2:*PrivateIpAddresses"

            ],

            "Effect": "Allow",

            "Resource": "*",

            "Condition": {

                "ForAnyValue:ArnEquals": {

                    "ec2:Subnet": [

                        "arn:aws:ec2:us-west-2:*:subnet/subnet-123",

                        "arn:aws:ec2:us-west-2:*:subnet/subnet-456",

                        "arn:aws:ec2:us-west-2:*:subnet/subnet-789"

                    ]

                }

            }

        },

        {

            "Action": [

                "ec2:Describe*",

                "ec2:*SecurityGroup",

                "ec2:*SecurityGroupEgress",

                "ec2:*SecurityGroupIngress",

                "ec2:*Tags"

            ],

            "Effect": "Allow",

            "Resource": "*"

        }

    ]

}

The error I get from terraform is:

    * Error authorizing security group ingress rules: Unable to find group 'sg-abc'

This is used in:

resource "aws_security_group" "allow_elasticsearch_from_vpc" {
    description = "Allow access to Elasticsearch from VPC."
    name = "allow-elasticsearch-from-vpc"

    ingress {
        from_port = 9200
        to_port = 9200
        protocol = "tcp"
        security_groups = ["sg-abc"]
    }

    tags = {
        "team" = "search"
    }
}

I see in the policy simulator that all Describe* actions are allowed. I don't know what action I need to enable to get past this error. Any ideas?

Thanks.

-Tom

[Paul Hinze]

Hi Tom,

Ah the joys of IAM policy discovery. I have spent many an hour there. :-\

Just double checked your policy in the simulator - seems like it should work from there.

You can get more information by enabling the debug logs with the env var TF_LOG=1, and then you should be able to reproduce the equivalent authorize command using awscli. If it works there, it's a TF or an aws-sdk-go issue, if it does not work there, you can open up an AWS support ticket and perhaps they can enlighten us.

We'll get this figured out one way or another! :)

Paul

--
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To post to this group, send email to terrafo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/8665288e-b264-44e5-967b-b8707aad1757%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tom Vaughan]

Hi Paul,

Thanks a lot for your response. I've gotten a bit further. First, I had to add `vpc_id` to the security groups. For some reason this wasn't required with the original, permissive IAM policy. Second, I had a space in the subnet id string. Once I solved these problems I started to see encoded errors from AWS. Once I decoded those I could see exactly which operation had been denied. From these encoded errors I was able to update the IAM policy to allow the appropriate operation. The updated IAM policy is below.

Now I see that terraform says "You are not authorized to perform this operation." without an encoded error. I ran this with TF_LOG=1. The output is at https://gist.github.com/tvaughan/e038638f64e67ab4e7dc if you want to take a look.

Thanks!

-Tom

{

"Version": "2012-10-17",
"Statement": [
{
"Action": [

"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",

"ec2:*SecurityGroup",
"ec2:*SecurityGroupEgress",
"ec2:*SecurityGroupIngress",

"elasticloadbalancing:*"

],
"Effect": "Allow",
"Resource": "*",
"Condition": {

"StringEquals": {
"ec2:ResourceTag/team": "search"
}
}
},
{
"Action": [
"ec2:RunInstances",
"ec2:Describe*",
"ec2:*PrivateIpAddresses",

[Tom Vaughan]

The winning IAM policy is below. From my previous email, the permission I need to allow is "ec2:ModifyInstanceAttribute". This is the least permissive IAM policy I could come up with that allows me to create and modify security groups, ec2 instances, and load balancers. Thanks!

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",

"ec2:DeleteSecurityGroup"

],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/team": "search"
}
}
},
{
"Action": [

"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ResetInstanceAttribute",
"ec2:Describe*",

"ec2:*Tags"
],
"Effect": "Allow",
"Resource": "*"

},
{
"Action": [

"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": "*"
}

]