Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS][EC2] create-volume tagging request is made in a second time causing rejection from tagging policies #8538

Open
aqemia-aalixe opened this issue Feb 15, 2024 · 0 comments
Open

[AWS][EC2] create-volume tagging request is made in a second time causing rejection from tagging policies #8538

aqemia-aalixe opened this issue Feb 15, 2024 · 0 comments
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a bug. ec2 investigating This issue is being investigated and/or work is in progress to resolve the issue. p3 This is a minor priority issue

Comments

@aqemia-aalixe
Copy link

aqemia-aalixe commented Feb 15, 2024
edited

Describe the bug

In order to track our costs in the company, we use tagging policies to ensure no resources are created without tags. This tagging policy also applies on EBS volumes. Aws cli create-volume commands seems to use two API call to create then tag, causing tagging policy to reject the creation request.
We want to know what is the good practice to forbid resource without tags and still be able to use the aws cli.

Expected Behavior

In order to track our costs, we use tagging policies to ensure no resources are created without tags. Consider the following tagging policy for EBS volumes:

{
  "explicitDeny": true,
  "matchedStatements": {
    "items": [
      {
        "statementId": "",
        "effect": "DENY",
        "principals": {
          "items": [
            {
              "value": "XXXXXXXXXXXXXXXXXXXXX:i-0cfd174700797f5de"
            }
          ]
        },
        "principalGroups": {
          "items": []
        },
        "actions": {
          "items": [
            {
              "value": "ec2:ModifyVolume"
            },
            {
              "value": "ec2:CreateVolume"
            }
          ]
        },
        "resources": {
          "items": [
            {
              "value": "arn:aws:ec2:*:*:volume/*"
            }
          ]
        },
        "conditions": {
          "items": [
            {
              "key": "aws:ResourceTag/project",
              "values": {
                "items": [
                  {
                    "value": "?*"
                  }
                ]
              }
            }
          ]
        }
      }
    ]
  }
}

We use the following AWS EC2 command to create a volume from a snapshot with tag specifications:

aws ec2 create-volume --availability-zone us-east-1a --snapshot-id snap-0baa55512a59c9a94 --tag-specifications 'ResourceType=volume,Tags=[{Key=project,Value=MoonWalk}]'

According to the documentation

--tag-specifications (list) 
    applies tags to the volume during creation.

We expected the volume to be created from the snapshot in AZ us-east-1a with the tag project: MoonWalk, instead resulting in an error due to the tagging policy. The error is described in the current behavior section

Current Behavior

Trying to create a volume with tags

aws ec2 create-volume --availability-zone us-east-1a --snapshot-id snap-0baa55512a59c9a94 --tag-specifications 'ResourceType=volume,Tags=[{Key=project,Value=MoonWalk}]'

this returning the error:

PGFFWHvsObJeK_kL_JNkvyeVk63702QvtZtVlcbnGyIpzHOmy2uJFFzm0kfVOb7kfBziLAphAbwaUAm3hdjpaBeQosI998PlVGAtOLVJfWYW3eP-XBm-OwyPieEUh5eSKwATOFyTMEID39pQCMWQsgS9oOH5Fh-bQ_Us7f70Fj1MyYvP2Vh3ZZnXEpibEkOlhtbi_UC_BFnm8clALvoyjGY_lukYpioL33ZvQQtOmoA_qLUJbEU9Vuienu3rZ0C5XpBZJdC-25vLzNx7kaykEixEywnmsmxKWPKifxlW86RD3svv0ay4ja9dtDRR4wdoOOp86bmB1M9BcvUH5Y6aqZ1ZdjLY3CIfyIDRtibZuGbz4VJPAKxRqIG6Uo0mONBjptuyBQ9ANVZz9s-g5rdyUbGvs0uVs_kN5JGVS42bU-PWv4uJQmCrCXQ2hdjbWqmOcW9-FYtv72WWb9IWuY0lg8YEtttilsCvnUNUoyToQhbIERe5oKzWphTrASKeKtCSpmtN3v_Qh2bRHd1XlQsw7DAhNqwLW5Y89q8wYEprgODBtkbzCVJhxSGe_xXUIu55mzOm13cszBZkOZbbVniPgyH3W9WmMnSB8pAVFKt0lfb1Db3-g_RQbRpPP4l89q61qgILaQEYiNgzHeMHCM_i6jcXD2_O2tX6tEB0PN7kOxPlMFz72vNKD9mzFJokRNmYQwByVpuVl9LcVDXxMMpxzvlqvhDPliDIQS-NCjCziTAPEVIc7vfTqvLXUEicGrBH8zkZUx9T0J_N_4_Uts-uz9xq

When we decode the error:

aws sts decode-authorization-message --encoded-message PGFFWHvsObJeK_kL_JNkvyeVk63702QvtZtVlcbnGyIpzHOmy2uJFFzm0kfVOb7kfBziLAphAbwaUAm3hdjpaBeQosI998PlVGAtOLVJfWYW3eP-XBm-OwyPieEUh5eSKwATOFyTMEID39pQCMWQsgS9oOH5Fh-bQ_Us7f70Fj1MyYvP2Vh3ZZnXEpibEkOlhtbi_UC_BFnm8clALvoyjGY_lukYpioL33ZvQQtOmoA_qLUJbEU9Vuienu3rZ0C5XpBZJdC-25vLzNx7kaykEixEywnmsmxKWPKifxlW86RD3svv0ay4ja9dtDRR4wdoOOp86bmB1M9BcvUH5Y6aqZ1ZdjLY3CIfyIDRtibZuGbz4VJPAKxRqIG6Uo0mONBjptuyBQ9ANVZz9s-g5rdyUbGvs0uVs_kN5JGVS42bU-PWv4uJQmCrCXQ2hdjbWqmOcW9-FYtv72WWb9IWuY0lg8YEtttilsCvnUNUoyToQhbIERe5oKzWphTrASKeKtCSpmtN3v_Qh2bRHd1XlQsw7DAhNqwLW5Y89q8wYEprgODBtkbzCVJhxSGe_xXUIu55mzOm13cszBZkOZbbVniPgyH3W9WmMnSB8pAVFKt0lfb1Db3-g_RQbRpPP4l89q61qgILaQEYiNgzHeMHCM_i6jcXD2_O2tX6tEB0PN7kOxPlMFz72vNKD9mzFJokRNmYQwByVpuVl9LcVDXxMMpxzvlqvhDPliDIQS-NCjCziTAPEVIc7vfTqvLXUEicGrBH8zkZUx9T0J_N_4_Uts-uz9xq | jq -r .DecodedMessage | jq

We understand it is linked to tagging policy and the requests beeing made. We do not see the tag creation in the request.

{
  "allowed": false,
  "explicitDeny": true,
  "matchedStatements": {
    "items": [
      {
        "statementId": "",
        "effect": "DENY",
        "principals": {
          "items": [
            {
              "value": "XXXXXXXXXXXXXXXXXXXX:i-0cfd174700797f5de"
            }
          ]
        },
        "principalGroups": {
          "items": []
        },
        "actions": {
          "items": [
            {
              "value": "ec2:ModifyVolume"
            },
            {
              "value": "ec2:CreateVolume"
            }
          ]
        },
        "resources": {
          "items": [
            {
              "value": "arn:aws:ec2:*:*:volume/*"
            }
          ]
        },
        "conditions": {
          "items": [
            {
              "key": "aws:ResourceTag/project",
              "values": {
                "items": [
                  {
                    "value": "?*"
                  }
                ]
              }
            }
          ]
        }
      }
    ]
  },
  "failures": {
    "items": []
  },
  "context": {
    "principal": {
      "id": "XXXXXXXXXXXXXXXXXXXX:i-0cfd174700797f5de",
      "arn": "arn:aws:sts::xxxxxxxxx:assumed-role/Role/i-0cfd174700797f5de"
    },
    "action": "CreateVolume",
    "resource": "arn:aws:ec2:us-east-1:xxxxxxxxx:volume/*",
    "conditions": {
      "items": [
        {
          "key": "aws:Resource",
          "values": {
            "items": [
              {
                "value": "volume/*"
              }
            ]
          }
        },
        {
          "key": "aws:Account",
          "values": {
            "items": [
              {
                "value": "xxxxxxxxxxxx"
              }
            ]
          }
        },
        {
          "key": "ec2:AvailabilityZone",
          "values": {
            "items": [
              {
                "value": "us-east-1a"
              }
            ]
          }
        },
        {
          "key": "ec2:Encrypted",
          "values": {
            "items": [
              {
                "value": "false"
              }
            ]
          }
        },
        {
          "key": "ec2:VolumeType",
          "values": {
            "items": [
              {
                "value": "gp2"
              }
            ]
          }
        },
        {
          "key": "aws:Region",
          "values": {
            "items": [
              {
                "value": "us-east-1"
              }
            ]
          }
        },
        {
          "key": "aws:Service",
          "values": {
            "items": [
              {
                "value": "ec2"
              }
            ]
          }
        },
        {
          "key": "ec2:VolumeID",
          "values": {
            "items": [
              {
                "value": "*"
              }
            ]
          }
        },
        {
          "key": "ec2:VolumeSize",
          "values": {
            "items": [
              {
                "value": "500"
              }
            ]
          }
        },
        {
          "key": "ec2:ParentSnapshot",
          "values": {
            "items": [
              {
                "value": "arn:aws:ec2:us-east-1::snapshot/snap-0baa55512a59c9a94"
              }
            ]
          }
        },
        {
          "key": "aws:Type",
          "values": {
            "items": [
              {
                "value": "volume"
              }
            ]
          }
        },
        {
          "key": "ec2:Region",
          "values": {
            "items": [
              {
                "value": "us-east-1"
              }
            ]
          }
        },
        {
          "key": "aws:ARN",
          "values": {
            "items": [
              {
                "value": "arn:aws:ec2:us-east-1:xxxxxxxxx:volume/*"
              }
            ]
          }
        }
      ]
    }
  }
}

Reproduction Steps

Create a tagging policy for EBS creation:

{
  "allowed": false,
  "explicitDeny": true,
  "matchedStatements": {
    "items": [
      {
        "statementId": "",
        "effect": "DENY",
        "principals": {
          "items": [
            {
              "value": "XXXXXXXXXXXXXXXXXXXX:i-0cfd174700797f5de"
            }
          ]
        },
        "principalGroups": {
          "items": []
        },
        "actions": {
          "items": [
            {
              "value": "ec2:ModifyVolume"
            },
            {
              "value": "ec2:CreateVolume"
            }
          ]
        },
        "resources": {
          "items": [
            {
              "value": "arn:aws:ec2:*:*:volume/*"
            }
          ]
        },
        "conditions": {
          "items": [
            {
              "key": "aws:ResourceTag/project",
              "values": {
                "items": [
                  {
                    "value": "?*"
                  }
                ]
              }
            }
          ]
        }
      }
    ]
  }

Create a volume using aws-cli (or boto) with tag spec:

aws ec2 create-volume --availability-zone us-east-1a --snapshot-id snap-0baa55512a59c9a94 --tag-specifications 'ResourceType=volume,Tags=[{Key=project,Value=MoonWalk}]'

Possible Solution

After removing the policy to verify that there were no mistakes with the tagging option, here is the result:

{
    "AvailabilityZone": "us-east-1a",
    "CreateTime": "2024-02-15T13:14:28+00:00",
    "Encrypted": false,
    "Size": 500,
    "SnapshotId": "snap-0baa55512a59c9a94",
    "State": "creating",
    "VolumeId": "vol-010b2647e81b4af16",
    "Iops": 1500,
    "Tags": [
        {
            "Key": "project",
            "Value": "MoonWalk"
        }
    ],
    "VolumeType": "gp2",
    "MultiAttachEnabled": false
}

It appears that the volume creation process involves two API calls: one for the volume creation and another for tagging, which circumvents the tagging policy on creation.

Is it possible to make the tagging request in the same request or is there a workaround/a better way to ensure resource tagging while respecting aws-cli functioning.

Additional Information/Context

No response

CLI version used

aws-cli/2.15.20

Environment details (OS name and version, etc.)

22.04.3 LTS (Jammy Jellyfish)
@aqemia-aalixe aqemia-aalixe added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 15, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this May 7, 2024
@RyanFitzSimmonsAK RyanFitzSimmonsAK added investigating This issue is being investigated and/or work is in progress to resolve the issue. ec2 p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a bug. ec2 investigating This issue is being investigated and/or work is in progress to resolve the issue. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RyanFitzSimmonsAK @aqemia-aalixe