Restricting Resource to A Specific Region

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

We recommend giving the user linked to Bamboo full Admin access (Amazon EC2 Full Access), as required permissions may change in the future.

The purpose of this article is to show users how to restrict AWS permissions to a certain region.

You can specify a region in the Resource field in the policy and with resource-level permissions, you can set permissions to reboot, start, stop, and terminate specific EC2 instances as well as set permissions to attach, delete, and detach EBS (Elastic Block Store) volumes but not every EC2 action currently allows you to specify resources/regions.

Below are the list of AWS actions used by Bamboo.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 ec2:AllocateAddress ec2:AssociateAddress ec2:AttachVolume ec2:AuthorizeSecurityGroupIngress ec2:CancelSpotInstanceRequests ec2:CreateKeyPair ec2:CreateSecurityGroup ec2:CreateTags ec2:CreateVolume ec2:DeleteVolume ec2:DescribeAddresses ec2:DescribeAvailabilityZones ec2:DescribeImages ec2:DescribeInstances ec2:DescribeKeyPairs ec2:DescribeRegions ec2:DescribeSecurityGroups ec2:DescribeSpotInstanceRequests ec2:DescribeSpotPriceHistory ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcs ec2:GetConsoleOutput ec2:ModifyInstanceAttribute ec2:ReleaseAddress ec2:RequestSpotInstances ec2:RunInstances ec2:TerminateInstances s3:GetObject s3:ListBucket

It's good to note that not all AWS actions support Resource-level permissions. Attempts to define resource-level permissions to all the API actions will result in error in the Bamboo log. So for example if you change the policy below to an IAM group...

1 2 3 4 5 6 7 8 9 10 11 { "Version": "2012-10-17", "Statement": [ { "Sid": "SorryThisIsNotGoingToWorkAsExpected", "Effect": "Allow", "Action": ["ec2:*"], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] }

...It will return errors in Bamboo log.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 2015-08-31 14:58:41.084424500 Caused by: com.amazonaws.AmazonServiceException: You are not authorized to perform this operation. (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: f1f95366-98e3-40af-bc66-82d70599ed49) 2015-08-31 14:58:41.084426500 at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1160) 2015-08-31 14:58:41.084427500 at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:748) 2015-08-31 14:58:41.084427500 at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:467) 2015-08-31 14:58:41.084428500 at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:302) 2015-08-31 14:58:41.084429500 at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:11598) 2015-08-31 14:58:41.084429500 at com.amazonaws.services.ec2.AmazonEC2Client.describeAccountAttributes(AmazonEC2Client.java:2311) 2015-08-31 14:58:41.084430500 at com.amazonaws.services.ec2.AmazonEC2Client.describeAccountAttributes(AmazonEC2Client.java:10246) 2015-08-31 14:58:41.084434500 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2015-08-31 14:58:41.084434500 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 2015-08-31 14:58:41.084435500 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 2015-08-31 14:58:41.084435500 at java.lang.reflect.Method.invoke(Method.java:497) 2015-08-31 14:58:41.084436500 at com.atlassian.aws.CallTimingProxy$1.invoke(CallTimingProxy.java:34) 2015-08-31 14:58:41.084437500 at com.sun.proxy.$Proxy1412.describeAccountAttributes(Unknown Source) 2015-08-31 14:58:41.084439500 at com.atlassian.aws.AWSAccountImpl$2.get(AWSAccountImpl.java:158) 2015-08-31 14:58:41.084440500 at com.atlassian.aws.AWSAccountImpl$2.get(AWSAccountImpl.java:154) 2015-08-31 14:58:41.084440500 at com.google.common.base.Suppliers$ExpiringMemoizingSupplier.get(Suppliers.java:173) 2015-08-31 14:58:41.084441500 at com.atlassian.aws.AWSAccountImpl.getAccountAttributes(AWSAccountImpl.java:324) 2015-08-31 14:58:41.084441500 at com.atlassian.bamboo.agent.elastic.server.ElasticFunctionalityFacadeImpl.getVpcsAndSubnets(ElasticFunctionalityFacadeImpl.java:267) 2015-08-31 14:58:41.084442500 at com.atlassian.bamboo.agent.elastic.server.ElasticFunctionalityFacadeImpl.ensureSecurityGroupsExist(ElasticFunctionalityFacadeImpl.java:290) 2015-08-31 14:58:41.084443500 at com.atlassian.bamboo.agent.elastic.server.ElasticFunctionalityFacadeImpl.startupAgents(ElasticFunctionalityFacadeImpl.java:180) 2015-08-31 14:58:41.084444500 ... 249 more

This error is returned because not all API actions support Resource-level permissions. From the list of API actions used by Bamboo for example, ec2:DescribeRegions doesn't support resource level permissions.

Solution

  • Instead assigning all API actions with resource-level permissions; you will have to separately assign these permissions to API actions that support it; here is an example.

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 { "Version": "2012-10-17", "Statement": [ { "Sid": "TheseActionsDontSupportResourceLevelPermissions", "Effect": "Allow", "Action": ["ec2:Describe*"], "Resource": "*" }, { "Sid": "TheseActionsSupportResourceLevelPermissions", "Effect": "Allow", "Action": [ "ec2:RunInstances","ec2:TerminateInstances" ], "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*" } ] }

  • To know which API action is supported and which API action is not supported, please visit this link and check : Granting IAM Users Required Permissions for Amazon EC2 Resources

  • To read up more on this, it is recommended to check this link as it provide in-depth explanation on the matter : Demystifying EC2 Resource-Level Permissions

Updated on April 15, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community