Uploaded image for project: 'IGB'
  1. IGB
  2. IGBF-2398

Fix: appstore ec2 role failing to update ec2 IAM role

        Details

        • Type: Task
        • Status: Closed (View Workflow)
        • Priority: Major
        • Resolution: Done
        • Affects Version/s: None
        • Fix Version/s: None
        • Labels:
          None

          Description

          In order to give our appstore ec2 the ability to store digital assets (e.g., app jar files and screen shots) in its designated S3 bucket, we create an IAM managed policy and IAM role specifically for that S3 bucket.

          When we create the ec2, we provide the name of role via using the parameter "instance_profile_name."

          This of course only runs once when the ec2 is created. Later in the same playbook, we include a task "Grant testappstore access to s3 bucket" which tries again to add the role to the ec2. This ensures that if we change the s3 bucket for some reason, the ec2 will get modified with the correct role.

          However, this task fails with an error message reading:

          "TASK [ec2 : Grant testappstore access to s3 bucket] **************************************************************************
          fatal: [localhost]: FAILED! => changed=false
          attempts: 3
          msg: You must include an image_id or image.id parameter to create an instance, or use a launch_template."

          For this task, re-write the task "Add EC2 private IP to RDS host security group" and make it properly idempotent such that if the ec2 does not already have the given role, it is added.

            Attachments

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              See:

              When I used the AWS console to modify an existing ec2's IAM role, the UI replaced the existing role with the new one. It seems like you can only attach one IAM role to an EC2.

              I don't think the ec2 or ec2_instance modules have a way to re-assign or assign IAM roles to existing EC2 instances.

              To modify the IAM role, we need to use aws command line with shell as described in the above reddit post.

              According to the AWS documentation, you can create an IAM role and designate the IAM role as being intended for use with EC2 instances. If you do that, then probably when you create the ec2 and use the same name for the instance_policy_name, the correct role gets assigned.

              Show
              ann.loraine Ann Loraine added a comment - - edited See: https://www.reddit.com/r/ansible/comments/ah4jcc/how_do_you_attach_an_iam_role_onto_the_ec2/ When I used the AWS console to modify an existing ec2's IAM role, the UI replaced the existing role with the new one. It seems like you can only attach one IAM role to an EC2. I don't think the ec2 or ec2_instance modules have a way to re-assign or assign IAM roles to existing EC2 instances. To modify the IAM role, we need to use aws command line with shell as described in the above reddit post. According to the AWS documentation, you can create an IAM role and designate the IAM role as being intended for use with EC2 instances. If you do that, then probably when you create the ec2 and use the same name for the instance_policy_name, the correct role gets assigned.
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment -

              Currently we have a policy named for the s3 bucket and a role also named for the s3 bucket.

              However, an ec2 can only have one role. A role seems to be a kind of unitary attribute of an ec2. However, a role can have many policies attached to it.

              We should create the policy when we create the s3.
              We should create the IAM role when we create the ec2.
              After creating the IAM role, we should ensure that it has only one policy attached to it – the S3 policy which is named for the S3 bucket.

              Show
              ann.loraine Ann Loraine added a comment - Currently we have a policy named for the s3 bucket and a role also named for the s3 bucket. However, an ec2 can only have one role. A role seems to be a kind of unitary attribute of an ec2. However, a role can have many policies attached to it. We should create the policy when we create the s3. We should create the IAM role when we create the ec2. After creating the IAM role, we should ensure that it has only one policy attached to it – the S3 policy which is named for the S3 bucket.
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment -

              Adding new role to drop database and empty appstore s3 bucket for restart/refresh appstore.

              Show
              ann.loraine Ann Loraine added a comment - Adding new role to drop database and empty appstore s3 bucket for restart/refresh appstore.
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment -

              Done and deployed. Moving to Closed.

              Show
              ann.loraine Ann Loraine added a comment - Done and deployed. Moving to Closed.

                People

                • Assignee:
                  ann.loraine Ann Loraine
                  Reporter:
                  ann.loraine Ann Loraine
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: