Linking Rancher to AWS

I created an IAM account for use with Rancher and gave it, what I think, is sufficient permissions.

Getting an error on this page /infra/hosts/add/amazonec2 :

UnauthorizedOperation: You are not authorized to perform this operation.

What operation is it talking about? Is there documentation/sample on what IAM policy Rancher needs?

You can open up the browser (preferably Chrome) inspector Networking tab and see what request is failing; The first step after entering credentials is connecting to each region and getting all the VPC/subnets.

So my random guess would be that you didn’t grant permission to every region, and we don’t handle that by only showing the ones that were available?

The UI calls these in the EC2 SDK, I’m not sure the exact IAM names but they should map directly:

describeRegions
describeSubnets
describeSecurityGroups
createSecurityGroup
authorizeSecurityGroupIngress
createTags

and once you actually submit docker-machine makes some additional calls, e.g. obviously to create the instance but possibly others.

Thanks, Vincent. Viewing the console didn’t help at all, but adding the stock AmazonEC2ReadOnlyAccess policy made it work.

Once the setup finalized I got a new block under my “Hosts” tab which quickly fell into Error state with message “You are not authorized to perform this operation.” I think I know why it happened, and I fixed the permission, but how do I re-kick the attempt? Do I have to re create the host with all of the settings I just did?

Is the clone option existent for your host? If so, then you’d be able to clone it with all the settings.

The only option is to remove the host. I even looked at the API directly

I’m not sure that there’s actually a good reason why, but we only let you clone machines that worked.

You see the issue here? There’s no explanation of what failed, and iterating trying to fix it is extremely high friction. Not to mention that the specified AWS key/secret is logged in plain text in /var/log/syslog