#12345 Add StartInstanceRefresh permission for fedora-ci-testing-farm user in AWS
Opened 20 days ago by mvadkert. Modified 10 days ago

Describe what you would like us to do:


We need to add start instance refresh after updating the tags after the ASG is created:

An error occurred (AccessDenied) when calling the StartInstanceRefresh
│ operation: User: arn:aws:iam::125523088429:user/fedora-ci-testing-farm is
│ not authorized to perform: autoscaling:StartInstanceRefresh on resource:
│ arn:aws:autoscaling:us-east-2:125523088429:autoScalingGroup:1ea95a62-2274-4466-8f86-a3b800d2ef31:autoScalingGroupName/eks-default_node_group-20250103143008332600000003-b0ca1649-6b80-2b0c-1c29-156db1b05b83
│ because no identity-based policy allows the
│ autoscaling:StartInstanceRefresh action

When do you need this to be done by?


Ideally ASAP, it is blocking proper tagging of instances created for the cluster. See:

https://gitlab.com/testing-farm/infrastructure/-/merge_requests/781


Metadata Update from @zlopez:
- Issue tagged with: aws

17 days ago

Metadata Update from @dkirwan:
- Issue assigned to dkirwan

17 days ago

Added the following to the policy: fedora-ci-eks which is attached to the user fedora-ci-testing-farm. Can you please retry to see if this unblocked you?

{
            "Effect": "Allow",
            "Action": [
...
                "autoscaling:StartInstanceRefresh",
...
            ],
            "Resource": "arn:aws:eks:*:*:*"
        },

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

17 days ago

@mvadkert when you get a moment, can you please check this is now resolved thanks.

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog