forked from cloudfoundry/docs-bosh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws-iam-instance-profiles.html.md.erb
182 lines (152 loc) · 6.99 KB
/
aws-iam-instance-profiles.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
---
title: Using IAM Instance Profiles
---
<p class="note">Note: This feature is available with bosh-release v208+ (1.3087.0) colocated with bosh-aws-cpi v31+.</p>
This topic describes how to configure BOSH to use [AWS IAM instance profiles](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) to avoid hard coding specific AWS credentials.
You may have to create one or more IAM instance profiles to limit access to AWS resources depending on how BOSH is configured and what software you are planning to deploy. Below are a few example configurations.
<p class="note">Note: Each IAM role when created has an associated IAM instance profile with the same name. There is no need to create instance profiles explicitly.</p>
## <a id="only-director"></a> Example A: AWS CPI and Director configured with default blobstore
1. Create `director` IAM role that allow `ec2:*` actions to create/delete VMs, attach/detach disks, etc. Optionally add `elasticloadbalancing:*` actions to register VMs with ELBs if you are planning to use `elbs` configuration with resource pools.
```json
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"ec2:AssociateAddress",
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:RegisterImage",
"ec2:DeregisterImage"
],
"Effect": "Allow",
"Resource": "*"
},{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
}]
}
```
1. Change deployment manifest for the Director (typically used with bosh-init) to configure AWS CPI to use `director` IAM profile:
```yaml
resource_pools:
- name: default
network: default
stemcell: { ... }
cloud_properties:
instance_type: m3.xlarge
iam_instance_profile: director
```
1. Instead of providing `access_key_id` and `secret_access_key`, configure AWS CPI in the deployment manifest to use IAM instance profile as a credentials source:
```yaml
properties:
aws: &aws
credentials_source: env_or_profile
# access_key_id and secret_access_key are not provided
# ...
```
<p class="note">Note: To use IAM instance profile as a credentials source when using bosh-init, you have to run bosh-init from a <a href="terminology.html#jumpbox">jump box</a>, an existing AWS instance with IAM instance profile (you can reuse `director` IAM role). Alternatively if you are deploying the Director VM from outside of the AWS, you can use hard coded credentials with bosh-init and have the AWS CPI on the Director VM use IAM instance profile as a credentials source.</p>
<p class="note">Note: Even though value specified is `env_or_profile`, bosh-init or the Director do not currently take advantage of the environment variables, only instance the profile, hence to take advantage of this feature you have to run on an AWS instance.</p>
---
## <a id="director-with-s3-blobstore"></a> Example B: AWS CPI and Director configured with an S3 blobstore
This configuration is similar to the previous one except that it's used when the Director and the Agents use S3 as their [blobstore](bosh-components.html#blobstore) instead of an internal blobstore provided by the bosh release.
1. Create `deployed-vm` IAM role which allows `s3:*` actions for a chosen S3 bucket. This IAM role will be used by default for all VMs created by the Director.
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": [
"arn:aws:s3:::<bosh_bucket_name>",
"arn:aws:s3:::<bosh_bucket_name>/*",
]
}]
}
```
1. Create `director` IAM role with:
- `ec2:*` actions
- `iam:PassRole` action for allowing to create VMs with a specific IAM role
- `s3:*` actions for the same S3 bucket
```json
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"ec2:AssociateAddress",
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DetachVolume",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:RegisterImage",
"ec2:DeregisterImage"
],
"Effect": "Allow",
"Resource": "*"
},{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::<accound_id>:role/deployed-vm"
},{
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": [
"arn:aws:s3:::<bosh_bucket_name>",
"arn:aws:s3:::<bosh_bucket_name>/*",
]
}]
}
```
1. In addition to configuring AWS CPI in the deployment manifest to use IAM instance profile as a credentials source, also set default IAM instance profile for all future deployed VMs:
```yaml
properties:
aws: &aws
credentials_source: env_or_profile
default_iam_instance_profile: deployed-vm
# ...
```
<p class="note">Note: <code>iam_instance_profile</code> key in resource pool's cloud_properties takes precedence over the default IAM instance profile, so that specific VMs can have greater access to the AWS resources.</p>
---
## <a id="errors"></a> Errors
```
You are not authorized to perform this operation. Encoded authorization failure message: vHU-KncL6Yo4pG5J9p...
```
Use `aws sts decode-authorization-message` command to decode message included in the error. For example:
<pre class="terminal extra-wide">
$ aws sts decode-authorization-message --encoded-message vHU-KncL6Yo4pG5J9p...
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROxxx:i-56a18483\",\"arn\":\"arn:aws:sts::xxx:assumed-role/director/i-56a18483\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::xxx:role/deployed-vm\",\"conditions\":{\"items\":[]}}}"
}
</pre>
Decoded message above indicates that `iam:PassRole` action needs to be added to the `director` IAM role so that the AWS CPI can create VMs with `deployed-vm` IAM role.
---
Next: [Using instance storage](aws-instance-storage.html)
Previous: [AWS](aws-cpi.html)