#8667 aws: assign permissions to allocate elastic IPs in AWS for aws-copr
Opened 8 months ago by praiskup. Modified 16 days ago

Metadata Update from @mizdebsk:
- Issue tagged with: aws

8 months ago

We aren't sure how to do this and will have to research it ourselves.

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

8 months ago

This policy attached should give the permissions required to work with elastic IP addresses.

   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": [
      "Resource": "*"

Hum, so I guess we can't use:

        "Condition": {
            "StringEqualsIfExists": {
                "ec2:ResourceTag/FedoraGroup": "copr"

because the elastic IP's have no tag or are not taggable right?

@kevin Elastic IP addresses are taggable, its just not obvious at first how to do it.Specially using the API as you can't tag it when you allocate it, you must run a separate create-tags call on the resource id of the IP

About halfway down this page (I wish AWS would put anchor link on their headings)

Or https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html for the cli command

So in other words that condition should be added for just copr to have access.

I thought about this again and you are correct @kevin we can't use that conditional because although you can tag the IP's to match that condition, it can't be done at creation time through the console or the cli, it has to be done after creation.

So the user in the copr group would not have be able to access the IP to tag it as the IP doesn't have the tag to allow them to have access.

The one posiible exception is Cloudformation as the resource creation template allows tagging on creation, lthough this may be 2 separate calls under the hood so its not clear how the permissions work in this case. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-eip.html

ok, I added the policy above. Can you please try now and let us know what error(s) you get?

Yes, it seems to work!

Though I can not "tag" them, or set the Name for that IPs.

Elastic IP address are not authorized to perform this operation. Encoded authorization failure message: 3_soetKrqYhLfEv4dYNvXh-ktprl0sZTR_4OGuTkYr5WsEKX163i2tpGZVCIyz9I8EdN-osAolX3zuo8L9Z5IkZnNKsseoBIt3_MAFryZjG4jHA6y09XrHKrq_wmuku0D7XxPg1B0JlcSjTuFhndUSUokV6PPHEVTd9n0kIVfQgPFq9FyQAOAkEWcMGXgoJ2N-iSCQPj_VDmyjVsNC2m7mdMnd1Z9V5fWPx-ut9A6Byb2bJyf5iNM3kYlKiNexU-smJDIsEaY2DjdOghYgeUgsS_OvaFsLN1QCPd5bcRB3OgLnaR4_LFu7qy4q3mEW2VBeVTr-wHNiDy86EcrC7jtYwi1yk9wMv3juJhoIvLDVBdCj2xLAGUcgQBP6Q3fv99hNPkCzoXO6Ts7zb18CUGsJSB-b1431GS45jfFa1M2IdnnbZQ7q8ZX_hAKCkbyd3G0v59vZKOvJVmYIC5381HhcOFGSNM0H7n-rq0pz3Q6XdDF-3Z0cKb-Kfx7k5IjsY6Uws654bv7bucgE6kYGq6FkfrP2Jy6rlSGzy5Lwz8lRjrvCZojScEdG0b_vcdEey-XZLYNehoRdkxg6vk1Zz7F5vav_p-gBr3go-FB4zDI8fYGPXyjw Failed to create tags: Name 

I'm not really sure why I did not get e-mails about this issue; sorry for the delay in the response here.

@mobrien is there some additional perm we need to grant here to allow the tagging?

@kevin tagging is treated as a separate permission so you will need to add something like below to allow creation and deletion of tags.

I'm not 100% on the resource part being correct but I think that should be correct. The * in the middle allows for all regions

      "Effect": "Deny",
      "Action": [
      "Resource": "arn:aws:ec2:*:<acc_no>:elastic-ip/*"

Login to comment on this ticket.