#8667 aws: assign permissions to allocate elastic IPs in AWS for aws-copr
Opened 6 months ago by praiskup. Modified 15 days ago


Metadata Update from @mizdebsk:
- Issue tagged with: aws

6 months ago

We aren't sure how to do this and will have to research it ourselves.

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

6 months ago

This policy attached should give the permissions required to work with elastic IP addresses.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
         "ec2:AllocateAddress", 
         "ec2:AssociateAddress",
         "ec2:DescribeAddresses", 
         "ec2:DisassociateAddress", 
         "ec2:ReleaseAddress",
         "ec2:MoveAddressToVpc", 
         "ec2:DescribeMovingAddresses"
      ],
      "Resource": "*"
   }
   ]
}

Hum, so I guess we can't use:

        "Condition": {
            "StringEqualsIfExists": {
                "ec2:ResourceTag/FedoraGroup": "copr"
            }
        }

because the elastic IP's have no tag or are not taggable right?

@kevin Elastic IP addresses are taggable, its just not obvious at first how to do it.Specially using the API as you can't tag it when you allocate it, you must run a separate create-tags call on the resource id of the IP

About halfway down this page (I wish AWS would put anchor link on their headings)
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Or https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html for the cli command

So in other words that condition should be added for just copr to have access.

I thought about this again and you are correct @kevin we can't use that conditional because although you can tag the IP's to match that condition, it can't be done at creation time through the console or the cli, it has to be done after creation.

So the user in the copr group would not have be able to access the IP to tag it as the IP doesn't have the tag to allow them to have access.

The one posiible exception is Cloudformation as the resource creation template allows tagging on creation, lthough this may be 2 separate calls under the hood so its not clear how the permissions work in this case. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip.html

ok, I added the policy above. Can you please try now and let us know what error(s) you get?

Login to comment on this ticket.

Metadata