S3 Permissions for remote Ignition configurations

I’m working on deploying CoreOS on EC2 and ran into a size issue with the user_data. Fortunately, Ignition supports remote configs! However, in the interest of security and auditing I’m working on the minimal permissions required to by Ignition to pull remote configs.

I am assuming, and going to test today, the following permissions:

  1. s3:GetObject
  2. s3:GetObjectVersion

Are there any specific permissions needed for Ignition to pull remote configs from S3? I’m making the assumption that the S3 URL is converted into an HTTP request?

4 Likes

S3 URLs are fetched using an AWS client library, which should be using HTTP underneath. I just looked through the Ignition code, and I think only s3:GetObject should be needed, but I’m not 100% sure and I don’t think we’ve ever checked. Please let us know what you find and we’ll add it to the docs!

Also, note that you don’t need to make the configs publicly readable. Ignition automatically performs authenticated fetches using the EC2 instance’s IAM role.

2 Likes

I’m using the following policy document on the EC2 instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectVersion",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::bucketname*"
        }
    ]
}

I added the GetObjectVersion but I’m not sure the library underneath will grab the latest version so I disabled versioning.

I’m getting a sha512 hash verification error that I am troubleshooting but it appears to be working with only that permission. I’ll confirm when the verification is sorted.

Update: This policy document works and the EC2 instance is pulling from the S3 bucket. Thank you @bgilbert for the verification!

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.