Documented AWS walkthrough user needs additional policies

[TC1977]

OS / Environment (where do you run Algo on)

Darwin MyComp.local 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64

Cloud Provider (where do you deploy Algo to)

AWS

Summary of the problem

The AWS walkthrough advises creating a user with limited policies (rather than just granting full "AdministratorAccess"). It seems that with the move to ansible2.5, the cloud install onto AWS option fails at the "get regions" step. Not sure why this wasn't failing for me before during the testing phase.

Steps to reproduce the behavior

1. Create user with limited privileges as per https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#minimum-required-iam-permissions-for-deployment
2. Try to install onto AWS.
3. Watch it fail.
4. Create user with full AdministratorAccess.
5. Try to install onto AWS.
6. Watch it succeed.

Full log

(env) MyComp:algo-master admin$ ./algo

PLAY [Ask user for the input] **************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]
[pause]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon EC2
    3. Vultr
    4. Microsoft Azure
    5. Google Compute Engine
    6. Scaleway
    7. OpenStack (DreamCompute optimised)
    8. Install to existing Ubuntu 18.04 server (Advanced)
  
Enter the number of your desired provider
:
2

TASK [pause] *******************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]
[pause]
Name the vpn server
[algo]
:
algore

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?
[y/N]
:
y

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?
[y/N]
:
y

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want to install a DNS resolver on this VPN server, to block ads while surfing?
[y/N]
:
y

TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Generate the SSH private key] ********************************************
changed: [localhost]

TASK [Generate the SSH public key] *********************************************
changed: [localhost]
[cloud-ec2 : pause]
Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md)
 (output is hidden):

TASK [cloud-ec2 : pause] *******************************************************
ok: [localhost]
[cloud-ec2 : pause]
Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 (output is hidden):

TASK [cloud-ec2 : pause] *******************************************************
ok: [localhost]

TASK [cloud-ec2 : set_fact] ****************************************************
ok: [localhost]

TASK [cloud-ec2 : Get regions] *************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.
fatal: [localhost]: FAILED! => {"changed": false, "error": {"code": "UnauthorizedOperation", "message": "You are not authorized to perform this operation."}, "msg": "Unable to describe regions: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.", "response_metadata": {"http_headers": {"date": "Tue, 28 Aug 2018 12:25:21 GMT", "server": "AmazonEC2", "transfer-encoding": "chunked"}, "http_status_code": 403, "request_id": "7cd67d73-64ed-4ecd-9ef6-18ccb2e4aadc", "retry_attempts": 0}}

TASK [cloud-ec2 : debug] *******************************************************
ok: [localhost] => {
    "fail_hint": [
        "Sorry, but something went wrong!", 
        "Please check the troubleshooting guide.", 
        "https://trailofbits.github.io/algo/troubleshooting.html"
    ]
}

TASK [cloud-ec2 : fail] ********************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}

PLAY RECAP *********************************************************************
localhost                  : ok=19   changed=2    unreachable=0    failed=2   

[TC1977]

I'm gonna try to run it again, adding only the "DescribeAvailabilityZones" to the documented minimum permissions policy.

[hermitsy]

Can second that. I am getting the same error.

[TC1977]

Sorry, it's "DescribeRegions" not "DescribeAvailabilityZones". @hermitsy please try updating your user's permissions in IAM to include this. PR #1080 opened.

[TC1977]

Others who have the old permissions may need to update their policies manually.

• Log into your console with an admin account.
• Go to "IAM" from the console.
• Go to "Users" and select the user you've created with the minimum permissions. Select the "Permissions" tab, then select the policy that you created before. (You could also just select it directly from "Policies" on the left, if you remember the policy name.)
• Select "Edit policy", and then the "JSON" tab.
• Insert "ec2:DescribeRegions" below the existing line 9, making sure you're keeping the appropriate indentation of the surrounding lines.
• Hit "Review policy", then "Save changes".