Examples: query, "exact match", wildcard*, wild?ard, wild*rd
Fuzzy search: cake~ (finds cakes, bake)
Term boost: "red velvet"^4, chocolate^2
Field grouping: tags:(+work -"fun-stuff")
Escaping: Escape characters +-&|!(){}[]^"~*?:\ with \, e.g. \+
Range search: properties.timestamp:[1587729413488 TO *] (inclusive), properties.title:{A TO Z}(excluding A and Z)
Combinations: chocolate AND vanilla, chocolate OR vanilla, (chocolate OR vanilla) NOT "vanilla pudding"
Field search: properties.title:"The Title" AND text
Answered
In Order To Use The Aws Autoscaling, With Spot And Without Spot Instances - Should We Create A Custom Policy With The Associated Iam Or Will One Of The Two Aws Managed Policies (Or Both) Will Suffice?

In order to use the AWS Autoscaling, with spot and without spot instances - should we create a custom policy with the associated IAM or will one of the two AWS managed policies (or both) will suffice?

  
  
Posted 4 years ago
Votes Newest

Answers 23


I have a single IAM, my question is what kind of permissions I should associate with the IAM so that the autoscaler task will work

  
  
Posted 4 years ago

Hi WackyRabbit7 ,

Does that mean that teh AWS autoscaler in trains, manages EC2 auto scaling directly without using the AWS built in EC2 auto scaler?

Yes, the Trains AWS auto-scaler does not use the built-in AWS auto scaling functionality

  
  
Posted 4 years ago

Hey Jake thanks for responding

  
  
Posted 4 years ago

I'll probably be able to better figure it out next week. If you have some new info or find out more I'd love to hear about it 😄

  
  
Posted 4 years ago

which permissions should it have? I would like to avoid full EC2 access if possible, and only choose the necessary permissions

  
  
Posted 4 years ago

I "think" the IAM should only have the ability to create an EC2 instance (querying instances is done through the trains platform)

  
  
Posted 4 years ago

but nowhere in the docs does it say anything about the permissions for the IAM

  
  
Posted 4 years ago

This is what I meant should be documented - the permissions...

  
  
Posted 4 years ago

SuccessfulKoala55 ?

  
  
Posted 4 years ago

Cool, thats more than reasonable!

  
  
Posted 4 years ago

WackyRabbit7 just found out whoever tested it had full EC2 access, so you might also need the ec2:DescribeInstances , and maybe more...

  
  
Posted 4 years ago

Does that mean that teh AWS autoscaler in trains, manages EC2 auto scaling directly without using the AWS built in EC2 auto scaler?

  
  
Posted 4 years ago

Let me know if it works 👍 🙂

  
  
Posted 4 years ago

I think this should be documented

Although it is already documented (see https://allegro.ai/docs/examples/services/aws_autoscaler/aws_autoscaler/ ) I completely agree the documentation should be expanded and improved 🙂 - I'll make sure we'll take a look at it. As always, any further suggestions will be greatly appreciated 🙂

  
  
Posted 4 years ago

so putting the docs aside, what permissions should I give to the IAM associated with trains' autoscale ?

  
  
Posted 4 years ago

😅

  
  
Posted 4 years ago

Cool thanks 🤩

  
  
Posted 4 years ago

AgitatedDove14 since this is a powerful feature, I think this should be documented. I'm at a point where I want to use the AWS autoscaler and i'm not sure how.

I see in the docs that I need to supply the access+secret keys, which are associated with an IAM, but nowhere does it say what permissions does this IAM need in order to execute.

Also using the name "AWS Autoscaler" immediately suggests that behind the scene, trains uses the https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html service hence I should grant this service's permissiosn to it, but your message suggest ohterwise, where I would need to assign EC2 specific permissions to it. Since security is always a big issue, I think the documentation should be explicit about which permissions does the IAM need in order to use this feature - and nothing easier than supplying the actual policy's JSON

  
  
Posted 4 years ago

?

  
  
Posted 4 years ago

If the credentials don't have access tothe autoscale service obviously it won't work

  
  
Posted 4 years ago

Hi WackyRabbit7 , sorry, I was unavailable 🙂
I'm looking now for the permissions required...

  
  
Posted 4 years ago

WackyRabbit7 you can configure AWS autoscaler with two types of instances , with priority to one of them. So in theory you do not need two autoscaler processes, with that in mind I "think" single IAM should suffice

  
  
Posted 4 years ago

WackyRabbit7 it seems you only need:
ec2:StartInstances ec2:StopInstances

  
  
Posted 4 years ago
970 Views
23 Answers
4 years ago
one year ago
Tags