#7878 Check if AWS keys have ModifyImage permission
Closed: Fixed 4 months ago by kevin. Opened 4 months ago by sayanchowdhury.

While running the clean-amis script, I got the error

ERROR:root:eu-west-2: ami-arandomamiid1 failed 
 An error occurred (UnauthorizedOperation) when calling the ModifyImageAttribute operation: You are not authorized to perform this operation.
ERROR:root:eu-west-2: ami-arandomamiid2 failed 
 An error occurred (UnauthorizedOperation) when calling the ModifyImageAttribute operation: You are not authorized to perform this operation.
ERROR:root:eu-west-2: ami-arandomamiid3 failed 
 An error occurred (UnauthorizedOperation) when calling the ModifyImageAttribute operation: You are not authorized to perform this operation.

Please check the account associated with the ansible vars {{ ec2_image_delete_access_key_id }} & {{ ec2_image_delete_access_key }} has access to ModifyImageAttrbute permission in AWS.


@sayanchowdhury Could you please give the full list of permissions you will need for tokens, and please let us know if any new permissions are needed before changes are made to fedimg or its replacement in the future?

Constantly filing tickets because you updated something or added a new tool/script that needs more permissions and then pinging us on IRC because we don't fix this within 2 days is not going to scale/perform well.

I have now added ModifyImageAttribute to image-delete.

Is there anything further needed here? Or can we close this out?

@kevin let's keep this open for a while, I will if I need any more permission and update the ticket. Also, the script is not giving the desired out put yet. Mohan and I are working on it.

The list of attributes the image-delete user would need

  • DescribeImages
  • ModifyImageAttribute
  • CreateTags
  • DeregisterImage
  • DeleteSnapshot

@puiterwijk Can you just verify these permissions?

@kevin @puiterwijk Can you check the permissions and add if any one of them is missing?

ok. CreateTags was missing, I added it.

Let us know if you need any others...

:baby_chick:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata