What permissions in IAM do i need to start EC2 instances with chef knife?
Q1: I am trying to create user in IAM AWS console that has restricted permissions only to start new instances using knife ec2 method. Currently only full access with policy "Amazon EC2 Full access" works. Creating user and granting start/stop instances and describe images does not work.
Q2: How i can debug this
ERROR: Fog::Compute::AWS::Error: UnauthorizedOperation => You are not authorized to perform this operation.
and trace down which exactly permission do i need. (-V -V -V didnt work)
Q1: I had to debug knife-ec2 gem in order to find out the minimal IAM permissions required to start an EC2 instance. Here is the minimal policy:
{
"Statement": [
{
"Sid": "Stmt123",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeImages",
"ec2:CreateTags",
"ec2:DescribeTags"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
Please note the Sid should be unique.
Q2: My knowledge of Ruby is quite limited so possibly there is not convenient way for debugging. Personally I used binding.pry as a debugger. Please refer to the following article for more info.
You will need to allow RunInstances.