Ideally attaching it to the existing fcos-builds* IAM accounts.
Thanks!
/cc @puiterwijk
Created and attached fcos-upload-amis.
fcos-upload-amis
Metadata Update from @puiterwijk: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
So now we're hitting:
failed finding snapshot: unable to describe import tasks: UnauthorizedOperation: You are not authorized to perform this operation. status code: 403, request id: da5e1862-12e2-4673-ad1d-19ddb54abf76
I.e. fcos-builds-bot is being denied this API: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImportSnapshotTasks.html
fcos-builds-bot
ore (the part of mantle that we're using for this) tries to be idempotent; and so before initiating an ImportSnapshot, it wants to check first if there's already an existing task for that image. Hence why it needs DescribeImportSnapshotTasks.
ore
mantle
ImportSnapshot
DescribeImportSnapshotTasks
Re-opening (or I can create a new ticket instead).
/cc @bgilbert
Metadata Update from @jlebon: - Issue status updated to: Open (was: Closed)
Added.
If there's any other perms needed, let us know.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Now hitting:
unable to create snapshot: unable to create import snapshot task: UnauthorizedOperation: You are not authorized to perform this operation. status code: 403, request id: 4f6563e0-59dd-4d9a-8b2f-8470b36c36a6
I.e. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportSnapshot.html.
Just looking ahead, we'll also want RegisterImage, DescribeImages, CreateTags, and ModifyImageAttributeInput.
RegisterImage
DescribeImages
CreateTags
ModifyImageAttributeInput
I added ImportSnapshot, CreateTags.
RegisterImage and DescribeImages were already set.
I can't find ModifyImageAttributeInput, only ModifyImageAttribute...
Yeah, sorry. ModifyImageAttribute is indeed the correct API name. ModifyImageAttributeInput is an AWS go API type.
ModifyImageAttribute
As well as ModifySnapshotAttribute.
ModifySnapshotAttribute
And now hitting
unable to create snapshot: unable to create import snapshot task: InvalidParameter: The sevice role <vmimport> does not exist or does not have sufficient permissions for the service to continue status code: 400, request id: 0334407b-d890-46d4-bdbc-acfd8a8db7b7
Hmm, are we not supposed to use the standard vmimport role here?
vmimport
ModifySnapshotAttribute is already set.
No idea on vmimport...
We have to create the vmimport role and attach it to a bucket.
This is really fixed now! Thank you both @kevin and @puiterwijk.
Metadata Update from @jlebon: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Follow-up in https://pagure.io/fedora-infrastructure/issue/8064.
Login to comment on this ticket.