0

Using an aws autoscaling group which is controlled by a server, predicting upcoming load and scaling up/down to it needs. The server needs permissions to the autoscaling api with the least amount of needed privileges.

My issues are with restricting the server to only use a specific autoscaling group defined over the resource field. All policy examples I found so far are only using "*" in the the resource field, which should mean it has access to all autoscaling groups if I'm not mistaken. 

data "aws_iam_policy_document" "default" {
  statement {
    sid    = "S3PolicyStmtNodeAutoscalingApiCalls"
    effect = "Allow"

    actions   = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup"
    ]

    resources = [ var.autoscaling_group_arn ]
  }
}

Implemented via terraform this translates into following json policy (autoscaling group arn obfuscated):

resource "aws_iam_policy" "aws_api_access" {
  arn    = "arn:aws:iam::123456789123:policy/aws-api-access"
  id     = "arn:aws:iam::123456789123:policy/aws-api-access"
  name   = "aws-api-access"
  path   = "/"
  policy = jsonencode({
    Statement = [
      {
        Action   = [
          "autoscaling:TerminateInstanceInAutoScalingGroup",
          "autoscaling:SetDesiredCapacity",
          "autoscaling:DescribeAutoScalingGroups",
        ]
        Effect   = "Allow"
        Resource = "arn:aws:autoscaling:region:acountid:autoScalingGroup:id:autoScalingGroupName/name"
        Sid      = "S3PolicyStmtAutoscalingApiCalls"
      }
    ]
    Version   = "2012-10-17"
  })
}

Error is AccessDenied: User: arn:aws:sts::id:assumed-role/role_name/i-instance-id is not authorized to perform: autoscaling:DescribeAutoScalingGroups

So far I only got it to run using the wildcard inside the resource attribute, any hints appreciated.

Obi-Wan
  • 846
  • 1
  • 11
  • 26
  • 1
    Do you get an error when using the restricted resource? If so can you post it? – ydaetskcoR Apr 23 '20 at 10:19
  • 2
    Looking at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2autoscaling.html#amazonec2autoscaling-actions-as-permissions it looks like `autoscaling:DescribeAutoScalingGroups` can't be restricted by resource or condition key but the other 2 permissions should be fine as is. I'd separate them into separate statements in the IAM policy and then I think that should work. – ydaetskcoR Apr 23 '20 at 10:21
  • uh, nice hint gonna try that! Error is AccessDenied: User: arn:aws:sts::id:assumed-role/role_name/i-instance-id is not authorized to perform: autoscaling:DescribeAutoScalingGroups – Obi-Wan Apr 23 '20 at 10:25
  • Yeah, that action needs the `*` resource but is a read only one and there shouldn't be anything particularly secret in the output from that call so I think you should be fine to split the statements. – ydaetskcoR Apr 23 '20 at 10:43

1 Answers1

0

Solution is in the comments, splitting up the autoscaling:DescribeAutoScalingGroups from the rest resolve the issue in not being able to specify the autoscaling group in the resource field.

data "aws_iam_policy_document" "default" {
  statement {
    sid    = "S3PolicyStmtNodeAutoscalingApiCalls"
    effect = "Allow"

    actions   = [
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup"
    ]

    resources = [ var.autoscaling_group_arn ]
  }

  statement {
    sid    = "S3PolicyStmtNodeAutoscalingDescribe"
    effect = "Allow"

    actions   = [
      "autoscaling:DescribeAutoScalingGroups"
    ]

   resources = [ "*" ]
  }
}
Obi-Wan
  • 846
  • 1
  • 11
  • 26
  • 1
    Can you edit the answer to be more fully worked please? Comments aren't first class and so aren't expected to live as long as answers. If you could show what you did instead in the answer then it would be much more useful for other people who might run in to the same issue as you did. – ydaetskcoR Apr 23 '20 at 13:44