#12005 Grant additional permissions to the fedimg AWS role
Opened 23 days ago by jcline. Modified 8 days ago

Describe what you would like us to do:


I'm still working on getting AWS images uploaded with fedora-image-uploader. With the staging fedimg role, I do have read and write permissions to the S3 bucket, but I'm unable to perform the next step of importing the image from S3 as an EBS snapshot:

You are not authorized to perform this operation. User: fedimg-upload-staging is not authorized to perform: ec2:ImportSnapshot 

I also need to be able to issue the following API calls:

I'm not sure what permissions I require for each of those tasks, exactly. @davdunc do you have a good list of required permissions?

When do you need this to be done by? (YYYY/MM/DD)


Ideally before 2024/06/30


Metadata Update from @kevin:
- Issue assigned to kevin

23 days ago

I took a stab at adding these. I think some where already there, but I added ec2:ImportSnapshot and ec2:DescribeImportSnapshotTasks...

Permissions are outlined here

Awesome, thanks. Things have proceeded slightly further, I can create an import snapshot task and poll it. It's failing with:

"ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden]"

This could well be user error, or how the bucket is configured, or something else. I'll continue to do some digging on my end, but any insights from @davdunc is welcome :smile:

Edit: To clarify, the resource in question is, I think, the object in the S3 bucket.

I got a bit distracted, but the SDK docs say "The specified bucket must have the aws-exec-read canned access control list (ACL) to ensure that it can be accessed by Amazon EC2. For more information, see Canned ACLs in the Amazon S3 Service Developer Guide."

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops

22 days ago

So, I'm a bit confused here.

Right now acls are off on that bucket (which is default and it says you shouldn't need to enable them) in favor of 'bucket policies'.

But I can't find an example of a bucket policy that is 'aws-exec-read'.

Do I need to enable acls and go that way?
Or is there a bucket policy I could add?

I added the VMImportExportRoleForAWSConnector role to the user. Please try again now?

I'm really at a loss at what I am missing. I set everything according to the docs, but clearly I am missing something. ;(

@davdunc can you login and take a look and see what it is that I am missing?

So can you all paste the exact error thats currently happening here?

I can also post the iam config I have and we can see if folks can see what I am missing. ;)

The s3 bucket has acls on, owner has perms (and since this is in the same aws account it should have the same perms?)

In iam, attached to the user is VMImportExportRoleForAWSConnector policy
also attached is a custom policy of:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::fedora-s3-bucket-fedimg-staging",
                "arn:aws:s3:::fedora-s3-bucket-fedimg-staging/*"    
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CancelConversionTask",
                "ec2:CancelExportTask",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateTags",
                "ec2:DescribeConversionTasks",
                "ec2:DescribeExportTasks",
                "ec2:DescribeExportImageTasks",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:ExportImage",
                "ec2:ImportInstance",
                "ec2:ImportVolume",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:ImportImage",
                "ec2:ImportSnapshot",
                "ec2:DescribeImportImageTasks",
                "ec2:DescribeImportSnapshotTasks",
                "ec2:CancelImportTask"
            ],
            "Resource": "*"
        }
    ]
}

I create a snapshot import task, and then poll on the results. The result is:

aws ec2 describe-import-snapshot-tasks --region us-east-1 --import-task-ids import-snap-0c2aec5ad3fe935cd
{
    "ImportSnapshotTasks": [
        {
            "Description": "Import Fedora-Cloud-Base-AmazonEC2.aarch64-40-20240414.0 from ab0fcaf5b5bbb4362d3757ff5e3fcea04fb4a4d6c501c19c1a55064194290230.raw",
            "ImportTaskId": "import-snap-0c2aec5ad3fe935cd",
            "SnapshotTaskDetail": {
                "Description": "Import Fedora-Cloud-Base-AmazonEC2.aarch64-40-20240414.0 from ab0fcaf5b5bbb4362d3757ff5e3fcea04fb4a4d6c501c19c1a55064194290230.raw",
                "DiskImageSize": 0.0,
                "Format": "RAW",
                "Status": "deleted",
                "StatusMessage": "ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden]",
                "UserBucket": {
                    "S3Bucket": "fedora-s3-bucket-fedimg-staging",
                    "S3Key": "ab0fcaf5b5bbb4362d3757ff5e3fcea04fb4a4d6c501c19c1a55064194290230.raw"
                }
            },
            "Tags": []
        }
    ]
}

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog