0

So, I am using the ec2.py script (provisioned by Ansible) for generating dynamic inventories. I have created the following IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "ca-central-1"
                }
            }
        }
    ]
}

Because I want the Ansible controller to grab data only from EC2 instances coming from ca-central-1 (i.e. Canada). I don't want it to mess with other regions, as they are production/staging environments and I don't want to mess up things there. Problem is that I am getting

ERROR: "Error connecting to AWS backend.

You are not authorized to perform this operation.", while: getting EC2 instances

It works if I use this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}

But that policy is granting permissions to to everything even in production environments. Even using roles, I find this to be a little bit of a overkill. Am I not considering something?

Community
  • 1
Simon Ernesto Cardenas Zarate
  • 251
  • 1
  • 3
  • 12
  • 1
    Is your region specified in the script? Is it failing because it's trying all regions instead of just `ca-central-1`? – B. Miller May 30 '18 at 00:06

1 Answers1

1

Well, it looks like the problem was that the ini file is set to query all regions, so I just had to modify the ini file to:

regions = ca-central-1

and comment the 

#regions_exclude = us-gov-west-1, cn-north-1
Simon Ernesto Cardenas Zarate
  • 251
  • 1
  • 3
  • 12