Page MenuHomeElementl
Differential D8995

More narrowly scope IAM policies
ClosedPublic
Actions

Authored by jordansanders on Jul 21 2021, 7:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, May 24, 12:33 AM
Unknown Object (File)
Thu, May 18, 2:14 PM
Unknown Object (File)
Sun, May 14, 8:32 PM
Unknown Object (File)
Apr 22 2023, 9:09 PM
Unknown Object (File)
Mar 17 2023, 10:01 AM
Unknown Object (File)
Mar 15 2023, 5:16 AM
Unknown Object (File)
Mar 15 2023, 5:09 AM
Unknown Object (File)
Mar 15 2023, 5:07 AM
View All 87 Files
Subscribers
None

Details

Reviewers
dgibson
max
johann
Commits
R1:e9ab0a083178: More narrowly scope IAM policies
Summary

Previously, we granted dagit and daemon AmazonECS_FullAccess. This
enabled them to do everything they needed - and then some.

This more narrowly scopes the policies attached to each.

dagit only needs to be able to describe tasks to check if a run can be
terminated and to terminate it.

daemon needs to be able to describe a number of different things about a
task so that it can register new task definitions and trigger task runs.

Both include passrole permissions borrowed from AmazonECS_FullAccess.

Test Plan

Deploy and launch a pipeline

Diff Detail

Repository
R1 dagster
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jordansanders created this revision.Jul 21 2021, 7:14 PM
Harbormaster completed remote builds in B33994: Diff 41991.Jul 21 2021, 8:03 PM
jordansanders requested review of this revision.Jul 21 2021, 8:03 PM
dgibson accepted this revision.Jul 21 2021, 8:04 PM
This revision is now accepted and ready to land.Jul 21 2021, 8:04 PM
johann requested changes to this revision.Jul 21 2021, 8:15 PM

Do we support termination? Dagit makes that api call if so

This revision now requires changes to proceed.Jul 21 2021, 8:15 PM
jordansanders updated this revision to Diff 42009.Jul 21 2021, 9:22 PM

Add StopTask permission to dagit and add a sleep to the solid so it's easier to manually test

jordansanders updated this revision to Diff 42011.Jul 21 2021, 9:23 PM

Remove unnecessary dagit permissions (these were only included because https://dagster.phacility.com/D8978 hasn't landed yet)

jordansanders updated this revision to Diff 42016.Jul 21 2021, 9:31 PM

rebase

jordansanders added a comment.Jul 21 2021, 9:31 PM

Do we support termination? Dagit makes that api call if so

Good catch - added

johann accepted this revision.Jul 21 2021, 9:38 PM
This revision is now accepted and ready to land.Jul 21 2021, 9:38 PM
Harbormaster completed remote builds in B34012: Diff 42011.Jul 21 2021, 9:49 PM
jordansanders edited the summary of this revision. (Show Details)Jul 21 2021, 9:52 PM
Harbormaster completed remote builds in B34010: Diff 42009.Jul 21 2021, 10:08 PM
Harbormaster completed remote builds in B34016: Diff 42016.Jul 21 2021, 10:15 PM
Closed by commit R1:e9ab0a083178: More narrowly scope IAM policies (authored by jordansanders). · Explain WhyJul 21 2021, 10:28 PM
This revision was automatically updated to reflect the committed changes.
jordansanders added a commit: R1:e9ab0a083178: More narrowly scope IAM policies.

Revision Contents
Changeset List

PathSize
examples/
deploy_ecs/
42 lines
3 lines

Diff 42030

View Options

examples/deploy_ecs/docker-compose.yml

Loading...
View Options

examples/deploy_ecs/repo.py

Loading...