Page MenuHomeElementl

More narrowly scope IAM policies
ClosedPublic

Authored by jordansanders on Jul 21 2021, 7:14 PM.

Details

Summary

Previously, we granted dagit and daemon AmazonECS_FullAccess. This
enabled them to do everything they needed - and then some.

This more narrowly scopes the policies attached to each.

dagit only needs to be able to describe tasks to check if a run can be
terminated and to terminate it.

daemon needs to be able to describe a number of different things about a
task so that it can register new task definitions and trigger task runs.

Both include passrole permissions borrowed from AmazonECS_FullAccess.

Test Plan

Deploy and launch a pipeline

Diff Detail

Repository
R1 dagster
Branch
jordan-fixup-ecs-permissions (branched from master)
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

This revision is now accepted and ready to land.Jul 21 2021, 8:04 PM
johann requested changes to this revision.Jul 21 2021, 8:15 PM

Do we support termination? Dagit makes that api call if so

This revision now requires changes to proceed.Jul 21 2021, 8:15 PM

Add StopTask permission to dagit and add a sleep to the solid so it's easier to manually test

Remove unnecessary dagit permissions (these were only included because https://dagster.phacility.com/D8978 hasn't landed yet)

Do we support termination? Dagit makes that api call if so

Good catch - added

This revision is now accepted and ready to land.Jul 21 2021, 9:38 PM
This revision was automatically updated to reflect the committed changes.