Validating Your Workflows

Updated 6 days ago by Totalcloud

Each workflow needs a unique set of IAM policies depending on the AWS Resources involved and the actions we are trying to perform on them. Validating a workflow helps TotalCloud to figure out whether it has access to the right set of IAM policies and act accordingly.

Validate Workflow

Validate workflow is a process to check if the AWS account (keys/role) has enough permissions to fetch AWS resources and perfrom the actions mentioned in a workflow.

You can successfully run the workflow using two options.

  1. Enough policies to run a worflow, but not enough to let TotalCloud tell you whether you have enough permissions

With this option, you have just enough permissions for the AWS account (keys/role) used in a workflow to fetch and perform actions defined in that workflow.   

Example:

If you are rebooting a bunch of EC2 instances, the AWS account (keys/role) used should have permissions to perform ec2:describeInstance and ec2:getInstance. However, TotalCloud won't be able to validate whether you have enough permissions to run the workflow, as it needs to access the policies attached to the AWS account (keys/role). If you try to run the workflow it will succeed, however, it will not recommend whether you have the right policies. Therefore, totacloud detects it during validation. It then recommends you to add the below policy to the IAM role or the user created for TotalCloud in the AWS.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "1560842047971",

"Effect": "Allow",

"Action": [

"ec2:describeinstances",

"ec2:rebootinstances"

],

"Resource": "*"

}

]

}
  1. Enough policies to run the workflow and also to let TotalCloud tell you whether you have enough permissions to run

With this option, you have enough permissions for the AWS account (keys/role) used in a workflow to fetch and perform actions defined in that workflow. Also, you have enough permissions to let TotalCloud access the policies attached to AWS account. This helps TotalCloud to figure out if the keys/role have the required poilices to execute the workflow. This will help TotalCloud give feedback on whether you have sufficient permissions to execute the workflow.

Example:

Let's use the same example of rebooting a bunch of EC2 instances. The AWS account (keys/role) used should have permissions to perform ec2:describeInstance and ec2:getInstance. In this case, you can run the workflow, but it needs permissions to tell whether you have enough permissions to run the workflow. So, totacloud detects it during validation. It then recommends you to add the below policy to the IAM role or the user created for TotalCloud in the AWS.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:describeinstances",

"ec2:rebootinstances"

"iam:listAttachedRolePolicies",

"iam:listAttachedUserPolicies",

"iam:listAttachedGroupPolicies",

"iam:listRolePolicies",

"iam:listUserPolicies",

"iam:listGroupPolicies",

"iam:getRolePolicy",

"iam:getUserPolicy",

"iam:getGroupPolicy",

"iam:listGroupsForUser",

"iam:getUser",

"iam:getPolicy",

"iam:getPolicyVersion"

],

"Resource": "*"

}

]

}

Output:

The above permissions allows TotalCloud to get information from AWS whenever a workflow's node makes a request to access certain resource's information or act on the resource itself.

The workflow will prompt you to add all the essential policies to the IAM role or the user during Validation as shown below.

Click Revalidate to run the workflow successfully. If you continue without validating, the workflow might not function as expected due to lack of permissions.

Each time you validate a workflow, you will create a unique configuration for a particular use case. This provides granularity for you to act on AWS accordingly.


How did we do?