Canonical Juju

When configuring resource-tags for aws provider, the tags are created after the resource is created

Bug #2006779 reported by Yoshi Kadokawa
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Fix Released
High
Thomas Miller
Canonical Juju 3.1.2

Bug Description

For AWS provider, you can configure resource-tags as model-config, and as a result the following resources will get the specific tags configured.
- instances
- security groups
- volumes

However, it looks like the tags are created after the resource is created, not while it is created.
Therefore the following IAM policy, based on this policy[0], adding conditions to restrict creation of resources with the specific tag, this will fail to bootstrap.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow_only_running_ec2_instance_with_tag ",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/Name": "MANDATORY"
                }
            }
        },
        {
            "Sid": "Allow_update_create_TAG_when_creating_instance_volume",
            "Effect": "Allow ",
            "Action": "ec2:CreateTags",
            "Resource": [
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": [
                        "RunInstances",
                        "CreateVolume"
                    ]
                }
            }
        },
        {
            "Sid": "JujuEC2Actions",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "MANDATORY"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "JujuIAMActions",
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetRole",
                "iam:ListInstanceProfiles",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": "*"
        },
        {
            "Sid": "JujuSSMActions",
            "Effect": "Allow",
            "Action": [
                "ssm:ListInstanceAssociations",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        }
    ]
}

As far as I have checked from the behaviour, juju creates an instance with the following flow

1. CreateSecurityGroup
2. CreateTags
3. AuthorizeSecurityGroupIngress
4. CreateVolume
5. CreateTags
6. RunInstances
7. CreateTags

Due to customer's security policy, IAM policy does only allow to launch an instance with the specific tag associated as you can see in the above IAM policy.
So the expected behaviour is to have the "CreateTags" action to run inside each actions, not after.

[0] https://discourse.charmhub.io/t/juju-aws-permissions/5307

Ian Booth (wallyworld)
Changed in juju:
milestone: none → 3.1.1
status: New → Triaged
importance: Undecided → High
tags: added: bitesize ec2-provider
Revision history for this message
Ian Booth (wallyworld) wrote :

https://github.com/juju/juju/pull/15197

Changed in juju:
assignee: nobody → Thomas Miller (tlmiller)
status: Triaged → Fix Committed
Revision history for this message
Yoshi Kadokawa (yoshikadokawa) wrote :

JFYI, we can now confirm that with juju from 3.1/edge channel, the instances will get created without any policy issues.
Thank you for the update!

When can we expect this on the stable channel? The edge channel does not support using juju agent binaries for multiple architecture, therefore a temporary simplestreams server is necessary for now.

Harry Pidcock (hpidcock)
Changed in juju:
milestone: 3.1.1 → 3.1.2
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.