Docker Community Forums

Share and learn in the Docker community.

Cannot create node cluster on AWS - unauthorized operation

amazonwebservices
dockercloud

(Theartling) #1

Hi, I’ve connected the Docker account to AWS like described here https://docs.docker.com/docker-cloud/infrastructure/link-aws/

Then I went on to create a new node cluster on AWS:

REGION: ap-southeast-1
NODE TYPE
CPU: 1
Memory: t2.micro
Disk Space: 0GB (keeps showing 0 in the cluster overview, no matter if I set it to 10GB or 60GB)

It fails with following output:

Deploying node cluster myproject:myprojectstaging
12345678-myproject: Deploying to Amazon Web Services/ap-southeast-1
12345678-myproject: Instance is now terminated in Amazon Web Services
ERROR: 12345678-myproject: AWS returned an error: unauthorized operation. Please check that the AWS credentials you have provided have enough permissions
12345678-myproject: Reallocating containers in other nodes...
ERROR: Node Cluster Deploy action on 'myprojectstaging' in region 'Amazon Web Services/ap-southeast-1' has failed
12345678-myproject: Reallocation done!

I also tried to temporarily give the role FullAccess policies to EC2 and other services, but still it still won’t deploy.
When I remove all policies (including the dockercloud-policy) it actually tells me “Invalid AWS role or insufficient permissions”.
Also tried us-east-1 region with same results.

EDIT:
I’ve played around more with the AWS policies and adding AmazonEC2ContainerServiceFullAccess seems to allow the creation of nodes on AWS. The policy from the docs does not seem to be enough.


(Bohdan Koleček) #2

I fixed the issue by adding permission to perform “iam:PassRole” action in the dockercloud-policy.

@DockerCloud: Will you update your documentation? In https://docs.docker.com/docker-cloud/infrastructure/link-aws/ add “iam:PassRole” after “iam:ListInstanceProfiles”.


(Muralibala) #3

For everyone’s reference, if you are getting the above error, please use this text for policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:*"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-1"
                }
            }
        },
        {
            "Action": [
                "iam:ListInstanceProfiles"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

(Webgradus) #4

Still not working. Anyone has a workaround for this?


(Cgustavober) #5

it worked for me, tks a lot!


(Srinivasa Kadiyala) #6

Thanks @muralibala - the policy worked for me. I am able to spin a node.
on a side note - I have shared the policy with Docker support. They are going to take a look and update soon.
Thanks again!


(Naveenshankar) #7

The above worked for me too!