I have a single IAM, my question is what kind of permissions I should associate with the IAM so that the autoscaler task will work
Hi WackyRabbit7 ,
Does that mean that teh AWS autoscaler in trains, manages EC2 auto scaling directly without using the AWS built in EC2 auto scaler?
Yes, the Trains AWS auto-scaler does not use the built-in AWS auto scaling functionality
I'll probably be able to better figure it out next week. If you have some new info or find out more I'd love to hear about it 😄
which permissions should it have? I would like to avoid full EC2 access if possible, and only choose the necessary permissions
I "think" the IAM should only have the ability to create an EC2 instance (querying instances is done through the trains platform)
but nowhere in the docs does it say anything about the permissions for the IAM
This is what I meant should be documented - the permissions...
WackyRabbit7 just found out whoever tested it had full EC2 access, so you might also need the ec2:DescribeInstances
, and maybe more...
Does that mean that teh AWS autoscaler in trains, manages EC2 auto scaling directly without using the AWS built in EC2 auto scaler?
I think this should be documented
Although it is already documented (see https://allegro.ai/docs/examples/services/aws_autoscaler/aws_autoscaler/ ) I completely agree the documentation should be expanded and improved 🙂 - I'll make sure we'll take a look at it. As always, any further suggestions will be greatly appreciated 🙂
so putting the docs aside, what permissions should I give to the IAM associated with trains' autoscale ?
AgitatedDove14 since this is a powerful feature, I think this should be documented. I'm at a point where I want to use the AWS autoscaler and i'm not sure how.
I see in the docs that I need to supply the access+secret keys, which are associated with an IAM, but nowhere does it say what permissions does this IAM need in order to execute.
Also using the name "AWS Autoscaler" immediately suggests that behind the scene, trains uses the https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html service hence I should grant this service's permissiosn to it, but your message suggest ohterwise, where I would need to assign EC2 specific permissions to it. Since security is always a big issue, I think the documentation should be explicit about which permissions does the IAM need in order to use this feature - and nothing easier than supplying the actual policy's JSON
If the credentials don't have access tothe autoscale service obviously it won't work
Hi WackyRabbit7 , sorry, I was unavailable 🙂
I'm looking now for the permissions required...
WackyRabbit7 you can configure AWS autoscaler with two types of instances , with priority to one of them. So in theory you do not need two autoscaler processes, with that in mind I "think" single IAM should suffice
WackyRabbit7 it seems you only need:ec2:StartInstances ec2:StopInstances