Page MenuHomeElementl

More narrowly scope IAM policies
ClosedPublic

Authored by jordansanders on Jul 21 2021, 7:14 PM.
Tags
None
Referenced Files
F2770156: D8995.diff
Tue, Jan 31, 12:51 PM
Unknown Object (File)
Mon, Jan 30, 1:54 AM
Unknown Object (File)
Fri, Jan 13, 12:55 PM
Unknown Object (File)
Nov 29 2022, 8:31 AM
Unknown Object (File)
Nov 23 2022, 3:17 PM
Unknown Object (File)
Nov 23 2022, 1:24 PM
Unknown Object (File)
Nov 23 2022, 11:08 AM
Unknown Object (File)
Nov 19 2022, 11:59 PM
Subscribers
None

Details

Summary

Previously, we granted dagit and daemon AmazonECS_FullAccess. This
enabled them to do everything they needed - and then some.

This more narrowly scopes the policies attached to each.

dagit only needs to be able to describe tasks to check if a run can be
terminated and to terminate it.

daemon needs to be able to describe a number of different things about a
task so that it can register new task definitions and trigger task runs.

Both include passrole permissions borrowed from AmazonECS_FullAccess.

Test Plan

Deploy and launch a pipeline

Diff Detail

Repository
R1 dagster
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision is now accepted and ready to land.Jul 21 2021, 8:04 PM

Do we support termination? Dagit makes that api call if so

This revision now requires changes to proceed.Jul 21 2021, 8:15 PM

Add StopTask permission to dagit and add a sleep to the solid so it's easier to manually test

Remove unnecessary dagit permissions (these were only included because https://dagster.phacility.com/D8978 hasn't landed yet)

Do we support termination? Dagit makes that api call if so

Good catch - added

This revision is now accepted and ready to land.Jul 21 2021, 9:38 PM
This revision was automatically updated to reflect the committed changes.