Metadata Update from @mizdebsk:
- Issue tagged with: aws
We aren't sure how to do this and will have to research it ourselves.
Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
This policy attached should give the permissions required to work with elastic IP addresses.
Hum, so I guess we can't use:
because the elastic IP's have no tag or are not taggable right?
@kevin Elastic IP addresses are taggable, its just not obvious at first how to do it.Specially using the API as you can't tag it when you allocate it, you must run a separate create-tags call on the resource id of the IP
About halfway down this page (I wish AWS would put anchor link on their headings)
Or https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html for the cli command
So in other words that condition should be added for just copr to have access.
I thought about this again and you are correct @kevin we can't use that conditional because although you can tag the IP's to match that condition, it can't be done at creation time through the console or the cli, it has to be done after creation.
So the user in the copr group would not have be able to access the IP to tag it as the IP doesn't have the tag to allow them to have access.
The one posiible exception is Cloudformation as the resource creation template allows tagging on creation, lthough this may be 2 separate calls under the hood so its not clear how the permissions work in this case. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip.html
ok, I added the policy above. Can you please try now and let us know what error(s) you get?
@praiskup any chance to test here?
Yes, it seems to work!
Though I can not "tag" them, or set the Name for that IPs.
Elastic IP address 184.108.40.206:You are not authorized to perform this operation. Encoded authorization failure message: 3_soetKrqYhLfEv4dYNvXh-ktprl0sZTR_4OGuTkYr5WsEKX163i2tpGZVCIyz9I8EdN-osAolX3zuo8L9Z5IkZnNKsseoBIt3_MAFryZjG4jHA6y09XrHKrq_wmuku0D7XxPg1B0JlcSjTuFhndUSUokV6PPHEVTd9n0kIVfQgPFq9FyQAOAkEWcMGXgoJ2N-iSCQPj_VDmyjVsNC2m7mdMnd1Z9V5fWPx-ut9A6Byb2bJyf5iNM3kYlKiNexU-smJDIsEaY2DjdOghYgeUgsS_OvaFsLN1QCPd5bcRB3OgLnaR4_LFu7qy4q3mEW2VBeVTr-wHNiDy86EcrC7jtYwi1yk9wMv3juJhoIvLDVBdCj2xLAGUcgQBP6Q3fv99hNPkCzoXO6Ts7zb18CUGsJSB-b1431GS45jfFa1M2IdnnbZQ7q8ZX_hAKCkbyd3G0v59vZKOvJVmYIC5381HhcOFGSNM0H7n-rq0pz3Q6XdDF-3Z0cKb-Kfx7k5IjsY6Uws654bv7bucgE6kYGq6FkfrP2Jy6rlSGzy5Lwz8lRjrvCZojScEdG0b_vcdEey-XZLYNehoRdkxg6vk1Zz7F5vav_p-gBr3go-FB4zDI8fYGPXyjw Failed to create tags: Name
I'm not really sure why I did not get e-mails about this issue; sorry for the delay in the response here.
@mobrien is there some additional perm we need to grant here to allow the tagging?
@kevin tagging is treated as a separate permission so you will need to add something like below to allow creation and deletion of tags.
I'm not 100% on the resource part being correct but I think that should be correct. The * in the middle allows for all regions
to comment on this ticket.