Cannot create node cluster on AWS - unauthorized operation

Docker Hub
,
1

Hi, I’ve connected the Docker account to AWS like described here https://docs.docker.com/docker-cloud/infrastructure/link-aws/

Then I went on to create a new node cluster on AWS:

REGION: ap-southeast-1
NODE TYPE
CPU: 1
Memory: t2.micro
Disk Space: 0GB (keeps showing 0 in the cluster overview, no matter if I set it to 10GB or 60GB)

It fails with following output:

Deploying node cluster myproject:myprojectstaging
12345678-myproject: Deploying to Amazon Web Services/ap-southeast-1
12345678-myproject: Instance is now terminated in Amazon Web Services
ERROR: 12345678-myproject: AWS returned an error: unauthorized operation. Please check that the AWS credentials you have provided have enough permissions
12345678-myproject: Reallocating containers in other nodes...
ERROR: Node Cluster Deploy action on 'myprojectstaging' in region 'Amazon Web Services/ap-southeast-1' has failed
12345678-myproject: Reallocation done!

I also tried to temporarily give the role FullAccess policies to EC2 and other services, but still it still won’t deploy.
When I remove all policies (including the dockercloud-policy) it actually tells me “Invalid AWS role or insufficient permissions”.
Also tried us-east-1 region with same results.

EDIT:
I’ve played around more with the AWS policies and adding AmazonEC2ContainerServiceFullAccess seems to allow the creation of nodes on AWS. The policy from the docs does not seem to be enough.

1 Like
2

I fixed the issue by adding permission to perform “iam:PassRole” action in the dockercloud-policy.

@DockerCloud: Will you update your documentation? In https://docs.docker.com/docker-cloud/infrastructure/link-aws/ add “iam:PassRole” after “iam:ListInstanceProfiles”.

2 Likes
3

For everyone’s reference, if you are getting the above error, please use this text for policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:*"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-1"
                }
            }
        },
        {
            "Action": [
                "iam:ListInstanceProfiles"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
3 Likes
4

Still not working. Anyone has a workaround for this?

5

it worked for me, tks a lot!

6

Thanks @muralibala - the policy worked for me. I am able to spin a node.
on a side note - I have shared the policy with Docker support. They are going to take a look and update soon.
Thanks again!

7

The above worked for me too!