Search code examples
amazon-web-servicesterraformaws-auto-scalingaws-policies

aws autscaling api access policy via terraform

Using an aws autoscaling group which is controlled by a server, predicting upcoming load and scaling up/down to it needs. The server needs permissions to the autoscaling api with the least amount of needed privileges.

My issues are with restricting the server to only use a specific autoscaling group defined over the resource field. All policy examples I found so far are only using "*" in the the resource field, which should mean it has access to all autoscaling groups if I'm not mistaken. 

data "aws_iam_policy_document" "default" {
  statement {
    sid    = "S3PolicyStmtNodeAutoscalingApiCalls"
    effect = "Allow"

    actions   = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup"
    ]

    resources = [ var.autoscaling_group_arn ]
  }
}

Implemented via terraform this translates into following json policy (autoscaling group arn obfuscated):

resource "aws_iam_policy" "aws_api_access" {
  arn    = "arn:aws:iam::123456789123:policy/aws-api-access"
  id     = "arn:aws:iam::123456789123:policy/aws-api-access"
  name   = "aws-api-access"
  path   = "/"
  policy = jsonencode({
    Statement = [
      {
        Action   = [
          "autoscaling:TerminateInstanceInAutoScalingGroup",
          "autoscaling:SetDesiredCapacity",
          "autoscaling:DescribeAutoScalingGroups",
        ]
        Effect   = "Allow"
        Resource = "arn:aws:autoscaling:region:acountid:autoScalingGroup:id:autoScalingGroupName/name"
        Sid      = "S3PolicyStmtAutoscalingApiCalls"
      }
    ]
    Version   = "2012-10-17"
  })
}

Error is AccessDenied: User: arn:aws:sts::id:assumed-role/role_name/i-instance-id is not authorized to perform: autoscaling:DescribeAutoScalingGroups

So far I only got it to run using the wildcard inside the resource attribute, any hints appreciated.

Solution

  • Solution is in the comments, splitting up the autoscaling:DescribeAutoScalingGroups from the rest resolve the issue in not being able to specify the autoscaling group in the resource field.

    data "aws_iam_policy_document" "default" {
  statement {
    sid    = "S3PolicyStmtNodeAutoscalingApiCalls"
    effect = "Allow"

    actions   = [
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup"
    ]

    resources = [ var.autoscaling_group_arn ]
  }

  statement {
    sid    = "S3PolicyStmtNodeAutoscalingDescribe"
    effect = "Allow"

    actions   = [
      "autoscaling:DescribeAutoScalingGroups"
    ]

   resources = [ "*" ]
  }
}