#8667 aws: assign permissions to allocate elastic IPs in AWS for aws-copr
Closed: Fixed 3 years ago by praiskup. Opened 4 years ago by praiskup.


Metadata Update from @mizdebsk:
- Issue tagged with: aws

4 years ago

We aren't sure how to do this and will have to research it ourselves.

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

4 years ago

This policy attached should give the permissions required to work with elastic IP addresses.

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
         "ec2:AllocateAddress", 
         "ec2:AssociateAddress",
         "ec2:DescribeAddresses", 
         "ec2:DisassociateAddress", 
         "ec2:ReleaseAddress",
         "ec2:MoveAddressToVpc", 
         "ec2:DescribeMovingAddresses"
      ],
      "Resource": "*"
   }
   ]
}

Hum, so I guess we can't use:

        "Condition": {
            "StringEqualsIfExists": {
                "ec2:ResourceTag/FedoraGroup": "copr"
            }
        }

because the elastic IP's have no tag or are not taggable right?

@kevin Elastic IP addresses are taggable, its just not obvious at first how to do it.Specially using the API as you can't tag it when you allocate it, you must run a separate create-tags call on the resource id of the IP

About halfway down this page (I wish AWS would put anchor link on their headings)
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Or https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html for the cli command

So in other words that condition should be added for just copr to have access.

I thought about this again and you are correct @kevin we can't use that conditional because although you can tag the IP's to match that condition, it can't be done at creation time through the console or the cli, it has to be done after creation.

So the user in the copr group would not have be able to access the IP to tag it as the IP doesn't have the tag to allow them to have access.

The one posiible exception is Cloudformation as the resource creation template allows tagging on creation, lthough this may be 2 separate calls under the hood so its not clear how the permissions work in this case. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip.html

ok, I added the policy above. Can you please try now and let us know what error(s) you get?

Yes, it seems to work!

Though I can not "tag" them, or set the Name for that IPs.

Elastic IP address 3.216.16.52:You are not authorized to perform this operation. Encoded authorization failure message: 3_soetKrqYhLfEv4dYNvXh-ktprl0sZTR_4OGuTkYr5WsEKX163i2tpGZVCIyz9I8EdN-osAolX3zuo8L9Z5IkZnNKsseoBIt3_MAFryZjG4jHA6y09XrHKrq_wmuku0D7XxPg1B0JlcSjTuFhndUSUokV6PPHEVTd9n0kIVfQgPFq9FyQAOAkEWcMGXgoJ2N-iSCQPj_VDmyjVsNC2m7mdMnd1Z9V5fWPx-ut9A6Byb2bJyf5iNM3kYlKiNexU-smJDIsEaY2DjdOghYgeUgsS_OvaFsLN1QCPd5bcRB3OgLnaR4_LFu7qy4q3mEW2VBeVTr-wHNiDy86EcrC7jtYwi1yk9wMv3juJhoIvLDVBdCj2xLAGUcgQBP6Q3fv99hNPkCzoXO6Ts7zb18CUGsJSB-b1431GS45jfFa1M2IdnnbZQ7q8ZX_hAKCkbyd3G0v59vZKOvJVmYIC5381HhcOFGSNM0H7n-rq0pz3Q6XdDF-3Z0cKb-Kfx7k5IjsY6Uws654bv7bucgE6kYGq6FkfrP2Jy6rlSGzy5Lwz8lRjrvCZojScEdG0b_vcdEey-XZLYNehoRdkxg6vk1Zz7F5vav_p-gBr3go-FB4zDI8fYGPXyjw Failed to create tags: Name 

I'm not really sure why I did not get e-mails about this issue; sorry for the delay in the response here.

@mobrien is there some additional perm we need to grant here to allow the tagging?

@kevin tagging is treated as a separate permission so you will need to add something like below to allow creation and deletion of tags.

I'm not 100% on the resource part being correct but I think that should be correct. The * in the middle allows for all regions

{
      "Effect": "Deny",
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Resource": "arn:aws:ec2:*:<acc_no>:elastic-ip/*"
    }

Except for the fact we can not tag (== we can not even set Name), there's also a very
low limit.... I only can see (they are visible to me) 5 elastic IPs, and I can not allocate more:

Elastic IP address could not be allocated.
The maximum number of addresses has been reached.

But for Copr project, we need 8 IPs at this moment (and one is already taken by other
project). I'd like to request a limiit no smaller than at least 16 elastic IPs.

You should hopefully be able to tag those Elastic IPs now as I have updated the IAM policy.

I have also requested a limit increase for Elastic IP addresses with AWS.

@mobrien I am not seeing this request on the history page. ;( Should we resubmit it?

This ticket wasn't resolved so I have followed up with AWS, we should get a reply within 24 hours. Although usually sooner in my experience

Metadata Update from @smooge:
- Issue assigned to mobrien
- Issue tagged with: medium-gain, medium-trouble, ops

3 years ago

AWS have got back to me and upped our limit to 30 Elastic IPs in the us-eat-1 region. Is there anything else you need for this ticket?

No, awesome! Thank you!

Metadata Update from @praiskup:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

By "No" I meant that we don't need anything more in this ticket (otherwise it might look a bit ironic). Thank you again @mobrien

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Done