I'm still working on getting AWS images uploaded with fedora-image-uploader. With the staging fedimg role, I do have read and write permissions to the S3 bucket, but I'm unable to perform the next step of importing the image from S3 as an EBS snapshot:
You are not authorized to perform this operation. User: fedimg-upload-staging is not authorized to perform: ec2:ImportSnapshot
I also need to be able to issue the following API calls:
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImportSnapshotTasks.html so I can poll the status of the import
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RegisterImage.html to register the snapshot as an AMI
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html to copy the AMI to additional regions.
I'm not sure what permissions I require for each of those tasks, exactly. @davdunc do you have a good list of required permissions?
Ideally before 2024/06/30
Metadata Update from @kevin: - Issue assigned to kevin
I took a stab at adding these. I think some where already there, but I added ec2:ImportSnapshot and ec2:DescribeImportSnapshotTasks...
Permissions are outlined here
Awesome, thanks. Things have proceeded slightly further, I can create an import snapshot task and poll it. It's failing with:
"ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden]"
This could well be user error, or how the bucket is configured, or something else. I'll continue to do some digging on my end, but any insights from @davdunc is welcome :smile:
Edit: To clarify, the resource in question is, I think, the object in the S3 bucket.
I got a bit distracted, but the SDK docs say "The specified bucket must have the aws-exec-read canned access control list (ACL) to ensure that it can be accessed by Amazon EC2. For more information, see Canned ACLs in the Amazon S3 Service Developer Guide."
aws-exec-read
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
So, I'm a bit confused here.
Right now acls are off on that bucket (which is default and it says you shouldn't need to enable them) in favor of 'bucket policies'.
But I can't find an example of a bucket policy that is 'aws-exec-read'.
Do I need to enable acls and go that way? Or is there a bucket policy I could add?
I added the VMImportExportRoleForAWSConnector role to the user. Please try again now?
I'm really at a loss at what I am missing. I set everything according to the docs, but clearly I am missing something. ;(
@davdunc can you login and take a look and see what it is that I am missing?
So can you all paste the exact error thats currently happening here?
I can also post the iam config I have and we can see if folks can see what I am missing. ;)
The s3 bucket has acls on, owner has perms (and since this is in the same aws account it should have the same perms?)
In iam, attached to the user is VMImportExportRoleForAWSConnector policy also attached is a custom policy of:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::fedora-s3-bucket-fedimg-staging", "arn:aws:s3:::fedora-s3-bucket-fedimg-staging/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CancelConversionTask", "ec2:CancelExportTask", "ec2:CreateImage", "ec2:CreateInstanceExportTask", "ec2:CreateTags", "ec2:DescribeConversionTasks", "ec2:DescribeExportTasks", "ec2:DescribeExportImageTasks", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:ExportImage", "ec2:ImportInstance", "ec2:ImportVolume", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ImportImage", "ec2:ImportSnapshot", "ec2:DescribeImportImageTasks", "ec2:DescribeImportSnapshotTasks", "ec2:CancelImportTask" ], "Resource": "*" } ] }
I create a snapshot import task, and then poll on the results. The result is:
aws ec2 describe-import-snapshot-tasks --region us-east-1 --import-task-ids import-snap-0c2aec5ad3fe935cd { "ImportSnapshotTasks": [ { "Description": "Import Fedora-Cloud-Base-AmazonEC2.aarch64-40-20240414.0 from ab0fcaf5b5bbb4362d3757ff5e3fcea04fb4a4d6c501c19c1a55064194290230.raw", "ImportTaskId": "import-snap-0c2aec5ad3fe935cd", "SnapshotTaskDetail": { "Description": "Import Fedora-Cloud-Base-AmazonEC2.aarch64-40-20240414.0 from ab0fcaf5b5bbb4362d3757ff5e3fcea04fb4a4d6c501c19c1a55064194290230.raw", "DiskImageSize": 0.0, "Format": "RAW", "Status": "deleted", "StatusMessage": "ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden]", "UserBucket": { "S3Bucket": "fedora-s3-bucket-fedimg-staging", "S3Key": "ab0fcaf5b5bbb4362d3757ff5e3fcea04fb4a4d6c501c19c1a55064194290230.raw" } }, "Tags": [] } ] }
We figured out the permissions issue here today at flock. ;)
Thanks @davdunc !
There's a bit of code fixing we need to do to make it work, but the permissions issue seems solved. ;)
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.