Skip to content

EC2 auto-discovery: emit IAM permission errors as UserTasks#64004

Draft
carlisia wants to merge 2 commits intomasterfrom
carlisia/ec2-iam-permission-usertasks-pt2
Draft

EC2 auto-discovery: emit IAM permission errors as UserTasks#64004
carlisia wants to merge 2 commits intomasterfrom
carlisia/ec2-iam-permission-usertasks-pt2

Conversation

@carlisia
Copy link
Member

@carlisia carlisia commented Feb 20, 2026

Fixes #62828

Changelog: Added UserTask alerts when EC2 auto-discovery fails due to missing IAM permissions (ec2:DescribeInstances, account:ListRegions, or Organizations APIs), enabling users to identify and resolve permission issues through the Web UI.

Test cases

  • Happy path -- full permissions, no permission UserTasks
    • Apply discovery config targeting EC2 instances with your creator tag
    • Wait 2-3 minutes for discovery cycle
    • Verify instances are discovered: dtctl get nodes --format=json | jq '.[]'
    • Verify NO permission-related UserTasks exist: dtctl get user_tasks --format=json | jq '.[] | select(.spec.issue_type | startswith("ec2-perm"))' returns empty
    • Existing SSM-related UserTasks (if any) still have correct issue types
  • Deny ec2:DescribeInstances creates ec2-perm-account-denied UserTask
    • Attach IAM deny policy for ec2:DescribeInstances to the integration role
    • Apply discovery config targeting your region
    • Wait 2-3 minutes for discovery cycle
    • Verify UserTask created with issue_type=ec2-perm-account-denied and region populated
    • Verify discovery service logs contain IAM permission error during EC2 discovery warning with correct context fields
    • Remove deny policy and destroy discovery config before next test
  • Deny account:ListRegions creates ec2-perm-account-denied UserTask
    • Attach IAM deny policy for account:ListRegions to the integration role
    • Apply discovery config with regions = ["*"]
    • Wait 2-3 minutes for discovery cycle
    • Verify UserTask created with issue_type=ec2-perm-account-denied and empty region field
    • Remove deny policy and destroy discovery config before next test
  • Deny Organizations APIs creates ec2-perm-org-denied UserTask (manual -- no Terraform for org matcher)
    • Only if your account is in an AWS Organization
    • Create discovery config with Organization matcher via dtctl create
    • Attach IAM deny policy for organizations:ListRoots, organizations:ListChildren, organizations:ListAccountsForParent
    • Wait 2-3 minutes for discovery cycle
    • Verify UserTask created with issue_type=ec2-perm-org-denied and empty region
    • Remove deny policy and destroy discovery config before next test
  • Partial failures -- instances discovered alongside permission errors (validated by unit tests)
    • Apply discovery config with full permissions
    • Verify instances discovered and no permission UserTasks
    • Add deny policy for ec2:DescribeInstances in a DIFFERENT region (not the one your instances are in)
    • Verify instances from the accessible region are still discovered
    • Verify permission UserTask created for the denied region

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Alert users about missing IAM permissions for EC2 auto-discover

1 participant

@carlisia