Adding Extra Permissions to an IAM Role in EC2 AutoScaling

The goal of this article is to provide information to our clients to ensure that their Amazon EC2 cluster will have the correct IAM permissions necessary to take advantage of all the services available on Platform9. To successfully interact with the services, a service user on EC2 must have the correct permissions and access level set. If the service user lacks these needed permissions or access, requested changes to the cluster will fail. Platform9 provides a preconfigured IAM policy that can be downloaded and utilized for this purpose.

In this article, we will review several methods to add additional permissions to an IAM policy a user will need when utilizing Auto Scaling on EC2. These authorizing mechanisms rely on several factors that are granted via the IAM service. When importing the Platform9 IAM policy, the following permissions are required on your AWS account.

• ELB Management
• Route 53 DNS Configuration
• Access to two or more Availability Zones within the region
• EC2 Instance Management
• EBS Volume Management
• VPC Management
• EKS API (Read Only)

Adding IAM Roles and Permissions

An IAM role grants permission to specific applications running on an instance via a policy created in a JSON format. When creating an IAM policy role, administrators should only assign the privilege level needed to limit access to the particular API calls the application requires. Users can only be linked to a single instance IAM role, but administrators can attach the identical role to other instances as well, expanding its usefulness.

IAM Role insights

To add an additional IAM role, the following considerations must be assessed:

1. First, we should define and create the new IAM role.
2. Next, we will specify which user accounts or other services can take on the role.
3. Then, we should define the behaviors and services the application’s API can utilize after gaining the role.
4. Thereafter, we must designate which role is applied when we launch our instance or add the role to an existing instance.
5. Finally, we must allow the application to obtain the temporary credentials needed and then apply them.

Methods for Adding Permissions

IAM typically allows three methods for adding user permissions to a policy.

• Solution 1: Add a User to an Existing Group – When we make the user a member of an existing group, those group policies are appended to the user.

• Note*: Adding a new or existing user to a group affects the user immediately.

  • The first step is to open the IAM console and choose the username whose permissions we are modifying.
  • Now, select the ‘Permissions’ tab, and then click ‘Add permissions’. Now, specify ‘Add user to group’.
  • Next, designate each group the user will be assigned to by selecting the appropriate checkbox next to the group.
  • Finally, review the group memberships listings the user will be added to. Then choose ‘Add permissions’.

• Solution 2: Copy Existing User Permissions – Copy all group memberships, attached managed policies, inline policies, and any existing permissions boundaries from the source user.

  • To begin, open the IAM console.
  • Select the username whose permissions need to be modified. Then choose the Permissions tab.
  • Next, choose ‘Add permissions’, and then ‘Copy permissions from existing user’.
  • Then, click the radio button of the user whose permissions we want to re-create.
  • Finally, select ‘Next’, and then review the changes, then choose ‘Add permissions’.

• Solution 3: Assign Unique Policies Directly to a User – Attach a managed policy directly to the user. As a best practice, we recommend that you instead attach your policies to a group and then make users members of the appropriate groups.

  • First, open the IAM console.
  • Next, select the username whose permissions need to be modified. Then choose the Permissions tab.
  • Now, choose ‘Add permissions’, and then select ‘Attach existing policies directly to user’.
  • Then, click on the managed policies checkboxes that we want to attach to the user.
  • Finally, click ‘Next’, and then review the list of policies that are going to be affiliated with the user, lastly, choose ‘Add permissions’.

To address the specific changes in the IAM Policy that include SuspendProcess and ResumeProcess, we should add an additional attribute called UpdatePolicy to our AutoScaleGroup to manage this function. Below is an example for adding in the SuspendProcesses:

ASG:

  Type: AWS::AutoScaling::AutoScalingGroup

  UpdatePolicy: 

    AutoScalingRollingUpdate:

      SuspendProcesses:

        - "ReplaceUnhealthy"

  Properties:

    DesiredCapacity: 1

    MinSize: 1

    MaxSize: 2

    LaunchConfigurationName: !Ref LaunchConfigurationName

Manually Suspend/Resume Processes via the AWS Console

1. In the AWS console, we can also accomplish this task.
2. A split pane will open detailing info about the group that is selected.
3. On the Details tab, select the 'Advanced configurations' then 'Edit'.
4. Next, select the process to suspend.

To restart a suspended process, simply remove it from the 'Suspended processes'. More information can be found in the Amazon EC2 Autoscaling Guide.

Suspend/Resume Processes via CLI

Additionally, we can use the CLI to suspend or resume individual processes.

aws autoscaling suspend-processes --auto-scaling-group-name my-asg --scaling-processes AlarmNotification

​

aws autoscaling resume-processes --auto-scaling-group-name my-asg --scaling-processes AlarmNotification

Should you have further thoughts or questions related to this article, please feel free to open a ticket with our support department.