Re: [Juju] Minimum policies for Juju to work on public clouds

2016-03-06 Thread Samuel Cozannet 
Yeah, I tried to add the VPC as well, but didn't work either. There is
something about the "bucket" created at the beginning, I thought S3 perms
would do, but no luck.




--
Samuel Cozannet
Cloud, Big Data and IoT Strategy Team
Business Development - Cloud and ISV Ecosystem
Changing the Future of Cloud
Ubuntu   / Canonical UK LTD  / Juju

samuel.cozan...@canonical.com
mob: +33 616 702 389
skype: samnco
Twitter: @SaMnCo_23
[image: View Samuel Cozannet's profile on LinkedIn]


On Sun, Mar 6, 2016 at 2:41 PM, Tom Barber  wrote:

> Do you need to offer up some VPC permissions as well on VPC default EC2
> accounts?
> On 6 Mar 2016 13:24, "Samuel Cozannet" 
> wrote:
>
>> Hi All,
>>
>> I have been setting up many different environments on AWS, GCE, Azure
>> (...), but my most used cloud by far until now has been AWS.
>>
>> The way I have operated until now is to create an admin group in IAM,
>> then adding users in it for my demos, and use their credentials in the
>> environment file.
>> This means Juju has "full power" on my AWS environment, to the extend it
>> could create additional users. Furthermore, if I share my environment with
>> someone, I am "giving" my AWS account away essentially. Not cool.
>> Hence I tried to find the minimum policy (or group of policies) I should
>> apply to make it work without giving away too much power.
>>
>> Juju seems to work fine with PowerUser perms, which is everything minus
>> user management. A good start, but still too much for me.
>>
>> Then when I tried to restrict further,
>> * FullEC2Access: not sufficient, fails to bootstrap
>> * FullEC2 + FullS3: not sufficient, fails to bootstrap
>> The error I get is :
>> ERROR failed to bootstrap environment: cannot start bootstrap instance:
>> recording instance in provider-state: cannot write file "provider-state" to
>> control bucket: The specified bucket does not exist
>>
>> ==> Is there a recommended set of policies somewhere? I'd love to see
>> that in the docs as well, with advice for each cloud.
>>
>> Thanks,
>> Sam
>>
>>
>> --
>> Juju mailing list
>> Juju@lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/juju
>>
>>
-- 
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju

Re: [Juju] Minimum policies for Juju to work on public clouds

2016-03-06 Thread Tom Barber 
Do you need to offer up some VPC permissions as well on VPC default EC2
accounts?
On 6 Mar 2016 13:24, "Samuel Cozannet" 
wrote:

> Hi All,
>
> I have been setting up many different environments on AWS, GCE, Azure
> (...), but my most used cloud by far until now has been AWS.
>
> The way I have operated until now is to create an admin group in IAM, then
> adding users in it for my demos, and use their credentials in the
> environment file.
> This means Juju has "full power" on my AWS environment, to the extend it
> could create additional users. Furthermore, if I share my environment with
> someone, I am "giving" my AWS account away essentially. Not cool.
> Hence I tried to find the minimum policy (or group of policies) I should
> apply to make it work without giving away too much power.
>
> Juju seems to work fine with PowerUser perms, which is everything minus
> user management. A good start, but still too much for me.
>
> Then when I tried to restrict further,
> * FullEC2Access: not sufficient, fails to bootstrap
> * FullEC2 + FullS3: not sufficient, fails to bootstrap
> The error I get is :
> ERROR failed to bootstrap environment: cannot start bootstrap instance:
> recording instance in provider-state: cannot write file "provider-state" to
> control bucket: The specified bucket does not exist
>
> ==> Is there a recommended set of policies somewhere? I'd love to see that
> in the docs as well, with advice for each cloud.
>
> Thanks,
> Sam
>
>
> --
> Juju mailing list
> Juju@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/juju
>
>
-- 
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju

[Juju] Minimum policies for Juju to work on public clouds

2016-03-06 Thread Samuel Cozannet 
Hi All,

I have been setting up many different environments on AWS, GCE, Azure
(...), but my most used cloud by far until now has been AWS.

The way I have operated until now is to create an admin group in IAM, then
adding users in it for my demos, and use their credentials in the
environment file.
This means Juju has "full power" on my AWS environment, to the extend it
could create additional users. Furthermore, if I share my environment with
someone, I am "giving" my AWS account away essentially. Not cool.
Hence I tried to find the minimum policy (or group of policies) I should
apply to make it work without giving away too much power.

Juju seems to work fine with PowerUser perms, which is everything minus
user management. A good start, but still too much for me.

Then when I tried to restrict further,
* FullEC2Access: not sufficient, fails to bootstrap
* FullEC2 + FullS3: not sufficient, fails to bootstrap
The error I get is :
ERROR failed to bootstrap environment: cannot start bootstrap instance:
recording instance in provider-state: cannot write file "provider-state" to
control bucket: The specified bucket does not exist

==> Is there a recommended set of policies somewhere? I'd love to see that
in the docs as well, with advice for each cloud.

Thanks,
Sam
-- 
Juju mailing list
Juju@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/juju