リソースを特定の地域に制限する

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

目的

 

We recommend giving the user linked to Bamboo full Admin access (Amazon EC2 Full Access), as required permissions may change in the future.

 

The purpose of this article is to show users how to restrict AWS permissions to a certain region.

You can specify a region in the Resource field in the policy and with resource-level permissions, you can set permissions to reboot, start, stop, and terminate specific EC2 instances as well as set permissions to attach, delete, and detach EBS (Elastic Block Store) volumes but not every EC2 action currently allows you to specify resources/regions.

Below are the list of AWS actions used by Bamboo.

ec2:AllocateAddress
ec2:AssociateAddress
ec2:AttachVolume
ec2:AuthorizeSecurityGroupIngress
ec2:CancelSpotInstanceRequests
ec2:CreateKeyPair
ec2:CreateSecurityGroup
ec2:CreateTags
ec2:CreateVolume
ec2:DeleteVolume
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeImages
ec2:DescribeInstances
ec2:DescribeKeyPairs
ec2:DescribeRegions
ec2:DescribeSecurityGroups
ec2:DescribeSpotInstanceRequests
ec2:DescribeSpotPriceHistory
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:DescribeVpcs
ec2:GetConsoleOutput
ec2:ModifyInstanceAttribute
ec2:ReleaseAddress
ec2:RequestSpotInstances
ec2:RunInstances
ec2:TerminateInstances
s3:GetObject
s3:ListBucket

It's good to note that not all AWS actions support Resource-level permissions. Attempts to define resource-level permissions to all the API actions will result in error in the Bamboo log. So for example if you change the policy below to an IAM group...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SorryThisIsNotGoingToWorkAsExpected",
            "Effect": "Allow",
            "Action": ["ec2:*"],
            "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
        }
    ]
}

...It will return errors in Bamboo log.

2015-08-31 14:58:41.084424500 Caused by: com.amazonaws.AmazonServiceException: You are not authorized to perform this operation. 
(Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: f1f95366-98e3-40af-bc66-82d70599ed49)
2015-08-31 14:58:41.084426500 	at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1160)
2015-08-31 14:58:41.084427500 	at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:748)
2015-08-31 14:58:41.084427500 	at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:467)
2015-08-31 14:58:41.084428500 	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:302)
2015-08-31 14:58:41.084429500 	at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:11598)
2015-08-31 14:58:41.084429500 	at com.amazonaws.services.ec2.AmazonEC2Client.describeAccountAttributes(AmazonEC2Client.java:2311)
2015-08-31 14:58:41.084430500 	at com.amazonaws.services.ec2.AmazonEC2Client.describeAccountAttributes(AmazonEC2Client.java:10246)
2015-08-31 14:58:41.084434500 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2015-08-31 14:58:41.084434500 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
2015-08-31 14:58:41.084435500 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2015-08-31 14:58:41.084435500 	at java.lang.reflect.Method.invoke(Method.java:497)
2015-08-31 14:58:41.084436500 	at com.atlassian.aws.CallTimingProxy$1.invoke(CallTimingProxy.java:34)
2015-08-31 14:58:41.084437500 	at com.sun.proxy.$Proxy1412.describeAccountAttributes(Unknown Source)
2015-08-31 14:58:41.084439500 	at com.atlassian.aws.AWSAccountImpl$2.get(AWSAccountImpl.java:158)
2015-08-31 14:58:41.084440500 	at com.atlassian.aws.AWSAccountImpl$2.get(AWSAccountImpl.java:154)
2015-08-31 14:58:41.084440500 	at com.google.common.base.Suppliers$ExpiringMemoizingSupplier.get(Suppliers.java:173)
2015-08-31 14:58:41.084441500 	at com.atlassian.aws.AWSAccountImpl.getAccountAttributes(AWSAccountImpl.java:324)
2015-08-31 14:58:41.084441500 	at com.atlassian.bamboo.agent.elastic.server.ElasticFunctionalityFacadeImpl.getVpcsAndSubnets(ElasticFunctionalityFacadeImpl.java:267)
2015-08-31 14:58:41.084442500 	at com.atlassian.bamboo.agent.elastic.server.ElasticFunctionalityFacadeImpl.ensureSecurityGroupsExist(ElasticFunctionalityFacadeImpl.java:290)
2015-08-31 14:58:41.084443500 	at com.atlassian.bamboo.agent.elastic.server.ElasticFunctionalityFacadeImpl.startupAgents(ElasticFunctionalityFacadeImpl.java:180)
2015-08-31 14:58:41.084444500 	... 249 more

This error is returned because not all API actions support Resource-level permissions. From the list of API actions used by Bamboo for example, ec2:DescribeRegions doesn't support resource level permissions.

ソリューション

  • Instead assigning all API actions with resource-level permissions; you will have to separately assign these permissions to API actions that support it; here is an example.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "TheseActionsDontSupportResourceLevelPermissions",
                "Effect": "Allow",
                "Action": ["ec2:Describe*"],
                "Resource": "*"
            },
            {
                "Sid": "TheseActionsSupportResourceLevelPermissions",
                "Effect": "Allow",
                "Action": [
                    "ec2:RunInstances","ec2:TerminateInstances"
                ],
                "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
            }
        ]
    }
  • To know which API action is supported and which API action is not supported, please visit this link and check : Granting IAM Users Required Permissions for Amazon EC2 Resources
  • To read up more on this, it is recommended to check this link as it provide in-depth explanation on the matter : Demystifying EC2 Resource-Level Permissions

     

Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.