EC2: "Groups belonging to other users may not be granted permissions to VPC security groups."

Question

I am deploying to EC2 using rubber (following Railscast #347). I have just run "cap rubber:create_staging" and am getting this error:

"Groups belonging to other users may not be granted permissions to VPC security groups."

mike@sleepycat:~/projects/usesthis☺  cap rubber:create_staging
Respawning with 'bundle exec'
    triggering load callbacks
  * 2013-08-19 08:55:19 executing `rubber:init'
  * 2013-08-19 08:55:21 executing `rubber:create_staging'
Hostname to use for staging instance [production]: 
Roles to use for staging instance [apache,app,collectd,common,db:primary=true,elasticsearch,examples,graphite_server,graphite_web,graylog_elasticsearch,graylog_mongodb,graylog_server,graylog_web,haproxy,mongodb,monit,passenger,postgresql,postgresql_master,web,web_tools]: 
  * 2013-08-19 08:55:23 executing `rubber:create'
  * Creating new security group: usesthis_production_default
  * Creating new rule: {"source_group_name"=>"usesthis_production_default", "source_group_account"=>"9050-9101-9552"}
/home/mike/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/excon-0.25.3/lib/excon/middlewares/expects.rb:6:in `response_call': InvalidParameterValue => Groups belonging to other users may not be granted permissions to VPC security groups. (Fog::Compute::AWS::Error)

My account has nothing in it other that Amazon's defaults and what Rubber created. VPCs are: "usesthis_production_default" and "default".

This is my first contact with either Rubber or EC2 so this means very little to me. Can anyone point me in the right direction?

Answer 1

Since your Security Groups already have a default security group, you won't be able to change it from rubber nor will you be able to sync changes to it. This happened to me because after I set up a new account on AWS, I manually (without the help of rubber) created an EC2 instance. After doing that, a default security group was automatically created for me and I was unable to get rubber to make changes to it from then on.

So - through the aws security groups console, add SSH to the rules for incoming and outgoing to the default security group. Next, in rubber.yml, comment out the default security group:

security_groups:
#  default:
#    description: The default security group
#    rules:
#      - source_group_name: default
#        source_group_account: "#{cloud_providers.aws.account}"
#      - protocol: tcp
#        from_port: 22
#        to_port: 22
#        source_ips: [0.0.0.0/0]

Next time you create_staging, you'll be prompted whether or not to delete the security group from AWS - choose no. You can avoid the prompt by setting:

prompt_for_security_group_sync: true

to

prompt_for_security_group_sync: false

in rubber.yml

This is what worked for me - not sure what you originally were trying to do but to help those who are trying things out and want to set up a staging environment with rubber, and you come across this issue, try out the above.