Required permissions policies to attach to IAM user
See original GitHub issueHi all,
I am fairly new to the AWS world and I’ve decided to reproduce the results in @jacobtomlinson blog post. To do so, I first had to create a new IAM user (I thought it would be better to create a specific user to test dask-cloudprovider) without attaching any specific permissions policy. Then, after trying to execute cluster = FargateCluster(n_workers=1)
, I experienced the first permissions issue:
AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListClusters operation: User: arn:aws:iam::707249732839:user/filippoawstest is not authorized to perform: ecs:ListClusters on resource: *
I think I solved this adding the AWS managed policy AmazonECS_FullAccess.
The second issue I had was:
ClientError: An error occurred (AccessDenied) when calling the ListRoleTags operation: User: arn:aws:iam::707249732839:user/filippoawstest is not authorized to perform: iam:ListRoleTags on resource: role AWSServiceRoleForECS
I think I solved this adding the AWS managed policy IAMFullAccess.
The third issue I had was:
An error occurred (UnauthorizedOperation) when calling the CreateTags operation: You are not authorized to perform this operation. Encoded authorization failure message: LONG_MESSAGE
After decoding the error message (aws decode-authorization-message --encoded-message LONG_MESSAGE
), I believe it was related to this action 'action': 'ec2:CreateTags
. Again, I think I solved this adding the AWS managed policy CloudWatchLogsReadOnlyAccess.
After adding these policies, cluster = FargateCluster(n_workers=1)
succeeded and produced this message:
/work/bfilippo/miniconda3/envs/aws/lib/python3.7/contextlib.py:119: UserWarning: Creating your cluster is taking a surprisingly long time. This is likely due to pending resources on AWS. Hang tight! next(self.gen)
Then, the remaining of the simple dask array example worked (I could see that through the dashboard too):
import dask.array as da
arr = da.random.random((1000, 1000, 10000), chunks=(100, 100, 1000))
arr = arr.mean().persist()
arr.compute()
I didn’t play with the ECS Cluster part.
So my question is: Is there a better set of policies to attach to the user?
Cheers. -Filippo
Issue Analytics
- State:
- Created 4 years ago
- Comments:12 (7 by maintainers)
Top GitHub Comments
@dankerrigan suggested we could determine a minimal policy by enabling very permissive policies, then using CloudTrail to figure out what was really used.
So first we added these permissive policies:
We then captured the CloudTrail events filtering by the user (here Sagemaker) from the time period just before we called
FargateCluster
to just after we destroyed the cluster:We saved the events as JSON and then used trailscraper to create an IAM policy from these events.
This didn’t work perfectly (not sure why), but it was a good start. From there we just tried starting a cluster and adding each action one-by-one until it worked:
I also had to add this policy to decode the error message: