You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by xx...@apache.org on 2022/04/11 10:53:11 UTC
[kylin] branch kylin4_on_cloud updated: Fix doc and downgrade log level (#1854)
This is an automated email from the ASF dual-hosted git repository.
xxyu pushed a commit to branch kylin4_on_cloud
in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/kylin4_on_cloud by this push:
new 9ab85b4e47 Fix doc and downgrade log level (#1854)
9ab85b4e47 is described below
commit 9ab85b4e47fd38eb344223dde7d0d25b4fd44a27
Author: Tengting Xu <34...@users.noreply.github.com>
AuthorDate: Mon Apr 11 18:53:05 2022 +0800
Fix doc and downgrade log level (#1854)
* # minor fix, remove useless log
* # minor fix, clearly the auth to aws
* # minor fix, update note about iam policy
---
instances/aws_instance.py | 3 +-
readme/prerequisites.md | 144 +++++++++++++++++++++++-----------------------
2 files changed, 72 insertions(+), 75 deletions(-)
diff --git a/instances/aws_instance.py b/instances/aws_instance.py
index 6d311fc5f3..32c4057997 100644
--- a/instances/aws_instance.py
+++ b/instances/aws_instance.py
@@ -2242,8 +2242,7 @@ class AWSInstance:
def _stack_status_check(self, name_or_id: str, status: str) -> bool:
try:
resp: Dict = self.cf_client.describe_stacks(StackName=name_or_id)
- except ClientError as ce:
- logger.error(f"check stack status error: {ce}")
+ except ClientError:
return False
return resp['Stacks'][0]['StackStatus'] == status
diff --git a/readme/prerequisites.md b/readme/prerequisites.md
index 5296f281c9..9f5b697585 100644
--- a/readme/prerequisites.md
+++ b/readme/prerequisites.md
@@ -21,6 +21,11 @@ Users need the following permissions to ensure that subsequent operations can pr
| **STS** | **Limited**: Write | All Resources | None |
| **Systems Manager** | **Limited**: Write | All Resources | None |
+> Note:
+>
+> [AWS IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) is a AWS web service to control who is authenticated (signed in) and authorized (has permissions) to use AWS resources. To make you user account has the sufficient permissions, such as create and destroy EC2 instances, read and write file to s3 buckets, execute command remotely, we use [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to manage permissions for AWS account [...]
+
+
##### How to add the required permissions for user?
###### 1. Create a permission policy in AWS IAM services:
@@ -39,113 +44,98 @@ Users need the following permissions to ensure that subsequent operations can pr
"Effect": "Allow",
"Action": [
"s3:ListAccessPointsForObjectLambda",
+ "s3:ListBucket",
+ "s3:PutBucketTagging",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListAllMyBuckets",
+ "s3:ListJobs",
+ "s3:ListMultipartUploadParts",
+ "s3:ListBucketVersions",
+ "s3:PutBucketPublicAccessBlock",
+ "s3:ListAccessPoints",
+ "s3:ListMultiRegionAccessPoints",
+ "s3:ListStorageLensConfigurations",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:AttachInternetGateway",
- "iam:PutRolePolicy",
- "rds:CreateDBSubnetGroup",
- "iam:AddRoleToInstanceProfile",
- "rds:ModifyDBParameterGroup",
- "cloudformation:DescribeStackEvents",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
- "cloudformation:UpdateStack",
"ec2:DescribeKeyPairs",
- "cloudformation:ListStackResources",
- "iam:GetRole",
"ec2:CreateTags",
"ec2:ModifyNetworkInterfaceAttribute",
- "elasticloadbalancing:CreateTargetGroup",
"ec2:RunInstances",
- "cloudwatch:GetMetricStatistics",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:CreateNetworkInterface",
- "cloudformation:GetStackPolicy",
- "elasticloadbalancing:AddTags",
- "cloudformation:DeleteStack",
+ "ec2:CreateVpcEndpointServiceConfiguration",
+ "ec2:CreateNetworkInterface",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
- "iam:GetRolePolicy",
- "elasticloadbalancing:ModifyLoadBalancerAttributes",
- "cloudformation:ValidateTemplate",
- "iam:CreateInstanceProfile",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
- "sns:ListTopics",
- "s3:ListBucket",
- "cloudformation:CreateStackInstances",
- "iam:ListInstanceProfilesForRole",
- "iam:PassRole",
"ec2:DescribeAvailabilityZones",
- "s3:PutBucketTagging",
- "rds:CreateDBInstance",
- "sts:DecodeAuthorizationMessage",
- "rds:DescribeDBInstances",
- "rds:AddTagsToResource",
- "s3:ListBucketMultipartUploads",
- "elasticloadbalancing:CreateLoadBalancer",
"ec2:AttachVpnGateway",
- "iam:ListRoles",
- "elasticloadbalancing:SetSubnets",
"ec2:DescribeSecurityGroups",
- "iam:CreatePolicy",
- "iam:CreateServiceLinkedRole",
- "s3:ListAllMyBuckets",
"ec2:DescribeVpcs",
- "elasticloadbalancing:DescribeTargetGroups",
- "elasticloadbalancing:RegisterTargets",
- "iam:CreateRole",
- "s3:CreateBucket",
- "rds:DescribeEngineDefaultParameters",
- "cloudformation:DescribeStackResource",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
- "elasticloadbalancing:DescribeLoadBalancers",
- "elasticloadbalancing:CreateRule",
"ec2:DescribeAccountAttributes",
"ec2:DescribeRouteTables",
- "rds:CreateDBParameterGroup",
- "cloudformation:DescribeStackInstance",
- "s3:ListJobs",
"ec2:CreateRouteTable",
- "cloudformation:DescribeStackResources",
- "rds:DescribeDBSecurityGroups",
- "rds:StartDBInstance",
- "cloudformation:DescribeStacks",
- "s3:ListMultipartUploadParts",
- "elasticloadbalancing:DescribeLoadBalancerAttributes",
- "cloudformation:GetTemplate",
"ec2:AssociateSubnetCidrBlock",
"ec2:DescribeInstanceTypes",
- "rds:DescribeOrderableDBInstanceOptions",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeAddresses",
- "rds:DescribeDBSubnetGroups",
"ec2:DescribeInstanceAttribute",
- "s3:ListBucketVersions",
- "rds:DescribeDBParameterGroups",
- "elasticloadbalancing:CreateListener",
"ec2:DescribeNetworkInterfaces",
- "elasticloadbalancing:DescribeListeners",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
- "rds:DescribeDBParameters",
"ec2:AuthorizeSecurityGroupEgress",
- "cloudformation:ListStacks",
- "s3:PutBucketPublicAccessBlock",
- "iam:GetInstanceProfile",
- "s3:ListAccessPoints",
"ec2:DescribeNatGateways",
- "s3:ListMultiRegionAccessPoints",
"ec2:AllocateAddress",
+ "ec2:CreateVpcEndpoint",
+ "ec2:AttachNetworkInterface",
+ "iam:PutRolePolicy",
+ "iam:GetRole",
+ "iam:GetRolePolicy",
+ "iam:CreateInstanceProfile",
+ "iam:ListInstanceProfilesForRole",
+ "iam:PassRole",
+ "iam:ListRoles",
+ "iam:CreatePolicy",
+ "iam:CreateServiceLinkedRole",
+ "iam:CreateRole",
+ "iam:GetInstanceProfile",
+ "rds:CreateDBSubnetGroup",
+ "rds:CreateDBInstance",
+ "rds:DescribeDBInstances",
+ "rds:AddTagsToResource",
+ "rds:DescribeEngineDefaultParameters",
+ "rds:CreateDBParameterGroup",
+ "rds:DescribeDBSecurityGroups",
+ "rds:StartDBInstance",
+ "rds:DescribeOrderableDBInstanceOptions",
+ "rds:DescribeDBSubnetGroups",
+ "rds:DescribeDBParameterGroups",
+ "rds:DescribeDBParameters",
+ "cloudwatch:GetMetricStatistics",
+ "cloudformation:DeleteStack",
+ "cloudformation:ValidateTemplate",
+ "cloudformation:CreateStackInstances",
+ "cloudformation:DescribeStackResources",
+ "cloudformation:DescribeStacks",
+ "cloudformation:GetTemplate",
+ "cloudformation:ListStacks",
"cloudformation:GetTemplateSummary",
- "s3:ListStorageLensConfigurations",
"cloudformation:CreateStack",
- "ec2:CreateVpcEndpoint",
- "elasticloadbalancing:DescribeTargetHealth",
- "elasticloadbalancing:SetSecurityGroups",
- "ec2:AttachNetworkInterface"
+ "cloudformation:DescribeStackEvents",
+ "cloudformation:UpdateStack",
+ "cloudformation:ListStackResources",
+ "cloudformation:GetStackPolicy",
+ "cloudformation:DescribeStackResource",
+ "cloudformation:DescribeStackInstance",
+ "sns:ListTopics",
+ "sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
@@ -157,13 +147,21 @@ Users need the following permissions to ensure that subsequent operations can pr
},
{
"Effect": "Allow",
- "Action": ["ssm:SendCommand"],
- "Resource": ["arn:aws-cn:ssm:*:*:document/*"]
+ "Action": [
+ "ssm:SendCommand"
+ ],
+ "Resource": [
+ "arn:aws-cn:ssm:*:*:document/*"
+ ]
},
{
"Effect": "Allow",
- "Action": ["ssm:SendCommand"],
- "Resource": ["arn:aws-cn:ec2:*:*:instance/*"]
+ "Action": [
+ "ssm:SendCommand"
+ ],
+ "Resource": [
+ "arn:aws-cn:ec2:*:*:instance/*"
+ ]
}
```