Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Required permissions policies to attach to IAM user

See original GitHub issue

Hi all,

I am fairly new to the AWS world and I’ve decided to reproduce the results in @jacobtomlinson blog post. To do so, I first had to create a new IAM user (I thought it would be better to create a specific user to test dask-cloudprovider) without attaching any specific permissions policy. Then, after trying to execute cluster = FargateCluster(n_workers=1), I experienced the first permissions issue:

AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListClusters operation: User: arn:aws:iam::707249732839:user/filippoawstest is not authorized to perform: ecs:ListClusters on resource: *

I think I solved this adding the AWS managed policy AmazonECS_FullAccess.

The second issue I had was:

ClientError: An error occurred (AccessDenied) when calling the ListRoleTags operation: User: arn:aws:iam::707249732839:user/filippoawstest is not authorized to perform: iam:ListRoleTags on resource: role AWSServiceRoleForECS

I think I solved this adding the AWS managed policy IAMFullAccess.

The third issue I had was:

An error occurred (UnauthorizedOperation) when calling the CreateTags operation: You are not authorized to perform this operation. Encoded authorization failure message: LONG_MESSAGE

After decoding the error message (aws decode-authorization-message --encoded-message LONG_MESSAGE), I believe it was related to this action 'action': 'ec2:CreateTags. Again, I think I solved this adding the AWS managed policy CloudWatchLogsReadOnlyAccess.

After adding these policies, cluster = FargateCluster(n_workers=1) succeeded and produced this message:

/work/bfilippo/miniconda3/envs/aws/lib/python3.7/contextlib.py:119: UserWarning: Creating your cluster is taking a surprisingly long time. This is likely due to pending resources on AWS. Hang tight! next(self.gen)

Then, the remaining of the simple dask array example worked (I could see that through the dashboard too):

import dask.array as da
arr = da.random.random((1000, 1000, 10000), chunks=(100, 100, 1000))
arr = arr.mean().persist()
arr.compute()

I didn’t play with the ECS Cluster part.

So my question is: Is there a better set of policies to attach to the user?

Cheers. -Filippo

Issue Analytics

State:
Created 4 years ago
Comments:12 (7 by maintainers)

Top GitHub Comments

3reactions

rsignell-usgscommented, Feb 28, 2020

@dankerrigan suggested we could determine a minimal policy by enabling very permissive policies, then using CloudTrail to figure out what was really used.

So first we added these permissive policies:

2020-02-28_12-13-19

We then captured the CloudTrail events filtering by the user (here Sagemaker) from the time period just before we called FargateCluster to just after we destroyed the cluster:

2020-02-28_12-50-05

We saved the events as JSON and then used trailscraper to create an IAM policy from these events.

This didn’t work perfectly (not sure why), but it was a good start. From there we just tried starting a cluster and adding each action one-by-one until it worked:


{
    "Statement": [
        {
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DeleteSecurityGroup",
                "ecs:CreateCluster",
                "ecs:DescribeTasks",
                "ecs:ListAccountSettings",
                "ecs:RegisterTaskDefinition",
                "ecs:RunTask",
                "ecs:StopTask",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:DeleteCluster",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition",
                "ecs:DeregisterTaskDefinition",
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:TagRole",
                "iam:PassRole",
                "iam:DeleteRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:DetachRolePolicy",
                "logs:DescribeLogGroups"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

3reactions

filippo82commented, Dec 19, 2019

I also had to add this policy to decode the error message:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["sts:DecodeAuthorizationMessage"],
      "Resource": ["*"]
    }
  ]
}