Privileges for IAM ibmdpuser when installing DSX Local in AWS?
I am attempting to install DSX Local in AWS.
According to https://datascience.ibm.com/docs/content/local/requirements.html I must create an IAM user and provide an access key/secret during the install. I created a new user and provided the credentials, however I get this message from the installer:
Waiter SystemStatusOk failed: You are not authorized to perform this operation. Could not access the aws cli using credentials provided.
I'm assuming this is because I have not given the IAM user the necessary privileges. The problem is the documentation doesn't say what privileges the user account needs to have. I follow the principle of least privilege and I want to know exactly what this installer intends to do with these credentials. I am NOT going to give this thing full admin access!
The IAM user needs to have privileges to associate the Elastic IP to any of the master node instances and DE-associate and re-associate to another master if the master node having the Elastic goes down for whatever reason. This gives HA ability within the product
Just providing more details on exactly how to create a user with just the privileged needed in AWS Before creating the User or a Group, we will first create the IAM Policy for them. After creating IAM Policy you can easily create a User or a Group and attach the newly created policy to it.
To create a policy, you can follow the step mentioned below. 1. Goto IAM Management console @ https://urldefense.proofpoint.com/v2/url?u=https-3A__console.aws.amazon.com_iam_&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=H0nmrDQjWzWxiF1smUNPnCNKRQ9F9kraWkdSS-ufkEE&m=2cU6fJXvUBvD0uilQ_H8QJ1gJt3cdirTQ7bksVsvOAw&s=60hmOvWSy7Npf748rbhONngqYhqjYcSTqIxQ4nesO_o&e=. 2. In the navigation pane on the left, choose 'Policies'. If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose 'Get Started'. 3. Choose 'Create policy'. 4. Select 'JSON' Editor. 5. Copy the below JSON syntax and paste it in the box. ===================================================== { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1375723773000", "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:DescribeAddresses", "ec2:DisassociateAddress" ], "Resource": [ "*" ], "Effect": "Allow" } ] } ===================================================== 6. Hit 'Review Policy'. 7. Give 'Name' and 'Description' to the policy. and Hit 'Create'
For more information on creating the IAM policy document. You can refer the documentation to the link [1].
After creating the IAM policy, now you are free to create a 'Users' or 'Groups' and attach the above IAM policy to it. For more information on Creating Users and Groups, you can refer the documentation in the link [2] and [3].
You can test the policy by executing the below command as an example ,
$ aws ec2 associate-address --instance xxxxxxxx --allocation-id eipalloc-xxxxxxxx --allow-reassociation --region us-east-1