Docker Community Forums

Share and learn in the Docker community.

Documentation has incorrect AWS Policy for restricting Docker Cloud to region

amazonwebservices

(Jonatanblue) #1

According to the user guide you can add a condition to the IAM Policy to restrict Docker Cloud to a specific region, like this:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:*", "iam:ListInstanceProfiles" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-west-2" } } } ] }

However, this applies the region condition to the IAM action as well. If you give the credentials to Docker Cloud, it will complain about insufficient permissions. IAM is a global service, meaning it won’t necessarily have a region in the request, so any call to IAM will fail. Instead, you should apply the region condition only to the EC2 part of the policy. This policy will work:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:*" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-west-2" } } }, { "Action": [ "iam:ListInstanceProfiles" ], "Effect": "Allow", "Resource": "*" } ] }


(Amegianeg) #2

Hi there! yes, you are right, the policy is not correct in the docs. We are going to fix it.
Thank you!