Skip to main content

Introduction

The Aviatrix Sandbox Starter tool requires an AWS access and secret key to perform programmatic actions against your AWS account. Please refer to Managing access keys for IAM users for instructions on how to create those keys and best practices.

The user off whom the access keys are derived will need the following access at minimum to perform the actions of running the use cases within the Sandbox Starter Tool (SST).

The below JSON policy document is for example purposes only. It is recommended to secure it further by restricting the resource section to apply to the accounts and/or resources against which you intend to apply.

Note: these permissions are separate from what would be needed for a user who would need to launch the SST instance itself from the AMI. They are only for a user who needs to operate the SST.

{
    "Version": "2012-10-17",
    "Statement": S
        {
            "Effect": "Allow",
            "Action": l
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DisassociateAddress",
                "ec2:ImportKeyPair",
                "ec2:ModifyInstanceAttribute",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": <
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": <
                "arn:aws:iam::<account_id>:instance-profile/aviatrix-*",
                "arn:aws:iam::<account_id>:role/aviatrix-*",
                "arn:aws:iam::<account_id>:policy/aviatrix-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": 
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

hello,



for myself I made a bit more constrained policy 



{


    "Version": "2012-10-17",


    "Statement": [


        {


            "Sid": "AllowParticularRegionEC2",


            "Effect": "Allow",


            "Action": [


                "<all listed ec2 permissions from above>"


            ],


            "Resource": "*",


            "Condition": {


                "StringEquals": {


                    "aws:RequestedRegion": [


                        "eu-west-1"


                    ]


                }


            }


        },


        {


            "Sid": "AllowParticularIamEntities",


            "Effect": "Allow",


            "Action": [


                "<all listed iam permissions"


            ],


            "Resource": [


                "arn:aws:iam::<account id>:instance-profile/aviatrix-*",


                "arn:aws:iam::<account id>:role/aviatrix-*",


                "arn:aws:iam::<account id>:policy/aviatrix-*"


            ]


        },


        {


            "Effect": "Allow",


            "Action": [


                "sts:GetCallerIdentity"


            ],


            "Resource": "*"


        }


    ]


}

vjacheslav Appreciate the feedback! I've validated your suggestions and have updated the post to include your recommendation.

When you are using Chrome/Edge, the 'Copy' button will generate some invisible Unicode characters which will screw up the policy.



 



Workaround: Select the text manually and copy manually.

How do I get around this error? Can someone please help? I removed all the unicode chars that generated errors but I ran into this one once I corrected the policy document.

Appreciate the help…

I figured out the issue. I think the document or instruction in this portal should be updated for a virgin set up or user and indicate that the policy needed to be created first (AWS: policy → create policy→ attach to user). The instruction does not show this, rather it gives the impression that you simply have to edit an existing one. This maybe true for some cases but for folks who just came into this training this needs to be clearly spelled out in the instructions. If this issue I ran into helps someone in the ACE community I hope I eased someone’s struggles 🙂!… 

To the ACE leadership, take this as suggestion to update your document 🙂.

My two cents :)….

I had to add two actions to above policy to fix errors in SST 1.4.2:

 

"ec2:DescribeReservedInstancesOfferings" to fix:
error reading EC2 Instance Type Offerings: UnauthorizedOperation: You are not authorized to perform this operation. │ status code: 403, request id: 5419e4b5-e474-4cbb-9408-8de9724e2342 │ │ with module.aviatrix_controller_aws.module.aviatrix_controller_build.data.aws_ec2_instance_type_offering.offeringo"us-east-1a"], │ on .terraform/modules/aviatrix_controller_aws/modules/aviatrix-controller-build/variables.tf line 117, in data "aws_ec2_instance_type_offering" "offering": │ 117: data "aws_ec2_instance_type_offering" "offering" { │ ╵ ╷ │


"ec2:AssociateRouteTable" to fix:
error creating route table: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: PZbfG6kiWVHlbpq6RRmeKcjj94M7JNZyCgCortganUlz3immTYP4gif8ln_o7RooYITmG5lAlaoyIwVSSoO_At0rjyQdCXEhJJ0If_IyrPidAgtgw7_dB3wUEf3r2uP0cf1_MiCePDcn2elrjXXInGdZpGaVifmE4ECzKHrwHYdueLmRjqaT4t1tYZtYzYVWUv1g0EnwnwbSTRfo0luYWK70IrT1gUmeVVrlTOQBAoBQ1fQCNReXQh6cX22XtyoIMXRM4P6Jb3AC7uOzh_iJ2kGTwt1UsQFrJJa_QeRoysZDqAfBINtQVLvY_genKC5l13iCi5f4nxMxQUxc0hXt6E1Ux9H2ok2CPcyuuS9WK3Dftfy7opSKV_k9DKrL7u0b14JcJqqPyj9G_AkyaCcYryt096Ewr8aBRnvAvPtXYLW1Ya8CVNlBPGoyVv1fMcxdXXYId1f44_P-0nMskh17jhD_g4-4JMHQvNvF5UoLD_Tv104AKI1cbbiUZ6SC1P85_khJcTRtaAK4mCPGoeZF7HFcBOXtd3To1xYqA13KKkmL6GWkdRV4u6ErjFhgHDIFGgrpqf-RBXPS-ynggamaN38pqx4t-WffXg │ status code: 403, request id: 645d9983-6890-4ebf-b870-c631eecb9111 │ │ with module.aviatrix_controller_aws.module.aviatrix_controller_build.aws_route_table.publicu0], │ on .terraform/modules/aviatrix_controller_aws/modules/aviatrix-controller-build/main.tf line 21, in resource "aws_route_table" "public": │ 21: resource "aws_route_table" "public" { │ ╵ --> Controller launch failed, aborting.

I also had to add additional actions to the policy:

ec2:DescribeInstanceTypeOfferings

ec2:CreateRouteTable

ec2:AssociateRouteTable

ec2:DescribeSecurityGroupRules

 

I did not have to add ec2:DescribeReservedInstancesOfferings at any point during the labs.

 

I did not have to add ec2:DescribeSecurityGroupRules to run the SST, but since the AWS Access Key is used later in Terraform, I had to add it later to reapply failed changes after correcting them.

I did not face that much issues with the policy code creation.

Turns out some few steps has to be done before inserting the poly code.

For me,

  1. When to IAM center “policy - create new policy”
  2. Added the the policy code
  3. Edited the policy code at the bottom with account_ID ( I removed the “< >”, if not the code would not be validated)
  4. Validated the creation.
  5. I created a group and attached the permission to it
  6. Then i created a user and add it to the group.

Reply


Terms & Conditions