Page MenuHomeElementl

More narrowly scope IAM policies
ClosedPublic

Authored by jordansanders on Jul 21 2021, 7:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jun 30, 3:45 PM
Unknown Object (File)
Wed, Jun 29, 1:24 AM
Unknown Object (File)
Tue, Jun 28, 10:01 PM
Unknown Object (File)
Tue, Jun 28, 7:48 AM
Unknown Object (File)
Sun, Jun 26, 1:18 PM
Unknown Object (File)
Sun, Jun 26, 3:59 AM
Unknown Object (File)
Sat, Jun 25, 4:34 AM
Unknown Object (File)
Sat, Jun 25, 3:40 AM
Subscribers
None

Details

Summary

Previously, we granted dagit and daemon AmazonECS_FullAccess. This
enabled them to do everything they needed - and then some.

This more narrowly scopes the policies attached to each.

dagit only needs to be able to describe tasks to check if a run can be
terminated and to terminate it.

daemon needs to be able to describe a number of different things about a
task so that it can register new task definitions and trigger task runs.

Both include passrole permissions borrowed from AmazonECS_FullAccess.

Test Plan

Deploy and launch a pipeline

Diff Detail

Repository
R1 dagster
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision is now accepted and ready to land.Jul 21 2021, 8:04 PM

Do we support termination? Dagit makes that api call if so

This revision now requires changes to proceed.Jul 21 2021, 8:15 PM

Add StopTask permission to dagit and add a sleep to the solid so it's easier to manually test

Remove unnecessary dagit permissions (these were only included because https://dagster.phacility.com/D8978 hasn't landed yet)

Do we support termination? Dagit makes that api call if so

Good catch - added

This revision is now accepted and ready to land.Jul 21 2021, 9:38 PM
This revision was automatically updated to reflect the committed changes.