SOSS cannot connect to AWS Marketplace

#1
Hi,

I am trying to configure Scaleout on AWS. I created an AWS connection providing access/secret key. But I got below error when I got to AWS deployment tab. Can you find out why this keeps happening.

Further I want to know is there a way to connect to AWS without providing access/secret keys may be such as using IAM user, roles etc. I am reluctant to use access/secret keys as we have to rotate keys periodically, and lack of security.

Appreciate your inputs on this, Thanks

soss aws error.JPG
 

Aaron

Administrator
Staff member
#2
The assumed use case for the ScaleOut Management Console is from an on-premise IT management workstation not running within AWS that is not assigned an IAM instance role. Therefore, AWS access keys and secrets keys are required for the ScaleOut Management Console to access your AWS resources. It is not currently possible to confer the required permissions to the ScaleOut Management Console via an assigned IAM instance profile, though we will look into this possibility in a future release by making the access key and secret key optional in the case of an AWS-hosted management instance.

We strongly recommend creating an IAM role with limited permissions to address any security-related concerns. To use the ScaleOut Management Console to launch and manage your stores in the AWS Marketplace, please ensure that your provided AWS credentials are granted the following permissions, as per our prerequisites documentation:

JSON:
{
    "Statement": [
        {
            "Action": [
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:DeleteLifecycleHook",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeLifecycleHooks",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:PutLifecycleHook",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreatePlacementGroup",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteInternetGateway",
                "ec2:DeletePlacementGroup",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVpc",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribePlacementGroups",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyVpcAttribute",
                "ec2:RebootInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "sqs:CreateQueue",
                "sqs:DeleteQueue",
                "sqs:GetQueueAttributes"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}
Alternatively, you may opt to launch your ScaleOut store using the AWS Marketplace for the desired product:
  1. Select the desired product (e.g., ScaleOut StateServer, ScaleOut StreamServer, etc.).
  2. Subscribe to the product if you have not yet done so.
    1. Note: You'll need to do this step even if you choose to use the ScaleOut Management Console to launch and manage your store. The ScaleOut Management Console is unable to automatically subscribe to a product listing for you.
  3. Configure your yearly purchase contract (optional) and click "Continue to Configuration".
  4. Select the "CloudFormation Template" and "standard cluster deployment" fulfillment options and desired AWS region, then click "Continue to Launch".
  5. In the "Launch this software" dialog, choose the "Launch CloudFormation" action and click "Launch".
  6. Click "Next" on the launch dialog that appears in the next window (it should be pre-filled with a long URL to the CloudFormation template for the Marketplace offering).
  7. Provide the desired parameters in the stack details and complete the remaining screens to launch your ScaleOut StateServer store in the AWS Marketplace.
 
#3
Hi Aaron,

I have added the following permissions to the IAM user. I have to modify the policy to use wildcards (*) and restrict some actions to certain resources due the organizational security policies. However I added all the mentioned permissions to the IAM user. Then I used the access/secret keys for the IAM user and connected using scaleout remote client management console, my connection was successful when I tested. (screenshot 1)
After that I go to the AWS deployment tab and select the AWS connection I get below Credentials error (screenshot 2) . Can you please guide me where does this goes wrong. I have mentioned the policy details of my IAM user as well below.

Thanks in advance

soss1.jpg


soss2.jpg

JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:RebootInstances",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:TerminateInstances",
        "ec2:DeleteTags",
        "ec2:CreateTags",
        "ec2:DeleteSecurityGroup",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RunInstances",
        "ec2:GetConsoleScreenshot"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*::image/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:CreateLaunchConfiguration",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:DeleteLaunchConfiguration",
        "autoscaling:DeleteLifecycleHook",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeLifecycleHooks",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:PutLifecycleHook",
        "autoscaling:UpdateAutoScalingGroup",
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "cloudformation:DescribeStacks",
        "cloudformation:UpdateStack",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:DeleteInternetGateway",
        "ec2:DeletePlacementGroup",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DeleteVpc",
        "ec2:ModifyVpcAttribute",
        "ec2:DetachInternetGateway",
        "ec2:DisassociateRouteTable",
        "ec2:Describe*",
        "ec2:GetEbsEncryptionByDefault",
        "ec2:GetEbsDefaultKmsKeyId",
        "ec2:GetPasswordData",
        "ec2:SearchLocalGatewayRoutes",
        "ec2:ExportClientVpnClientCertificateRevocationList",
        "ec2:SearchTransitGatewayMulticastGroups",
        "ec2:ExportClientVpnClientConfiguration",
        "ec2:GetHostReservationPurchasePreview",
        "ec2:SearchTransitGatewayRoutes",
        "ec2:GetLaunchTemplateData",
        "ec2:CreateInternetGateway",
        "ec2:CreatePlacementGroup",
        "ec2:GetTransitGatewayAttachmentPropagations",
        "ec2:GetReservedInstancesExchangeQuote",
        "ec2:GetTransitGatewayRouteTablePropagations",
        "ec2:AssociateAddress",
        "ec2:GetDefaultCreditSpecification",
        "ec2:GetCapacityReservationUsage",
        "ec2:GetConsoleOutput",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateVpc",
        "ec2:CreateSubnet",
        "ec2:GetTransitGatewayRouteTableAssociations",
        "ec2:AllocateAddress",
        "ec2:GetTransitGatewayMulticastDomainAssociations",
        "sqs:CreateQueue",
        "sqs:DeleteQueue",
        "sqs:GetQueueAttributes"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:AddRoleToInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:GetRole",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:RemoveRoleFromInstanceProfile"
      ],
      "Effect": "Allow",
      "NotResource": [
        "arn:aws:iam::012345678901:user/*",
        "arn:aws:iam::012345678901:group/*",
        "arn:aws:iam::012345678901:role/*",
        "arn:aws:iam::012345678901:mfa/*",
        "arn:aws:iam::012345678901:policy/*",
        "arn:aws:iam::*:user/[email protected]"
      ]
    }
  ]
}
 

Aaron

Administrator
Staff member
#4
We were able to reproduce this issue using a permissions-limited account similar to the one you've outlined. Thank you for that information. It pointed out a flaw in our documentation. Please also add this statement to your IAM user's policy. We will update our documentation to add this section.

JSON:
{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::soss_installers/CF_VERSION"
}
 
Top