Uploaded image for project: 'IGB'
  1. IGB
  2. IGBF-2363

Make s3 role more specific to EC2 using it

        Details

        • Type: Task
        • Status: Closed (View Workflow)
        • Priority: Major
        • Resolution: Done
        • Affects Version/s: None
        • Fix Version/s: None
        • Labels:
          None

          Description

          Tasks:

          • Modify the role so that it is specific to the S3 bucket that the EC2 will use.
            That is, the permission policy should only apply to the particular bucket that is created in the playbooks. This is to ensure that we can have a very liberal permissions in the role without fear of developers accidentally harming each other's S3 buckets.
          • Name role itself to be named after the EC2 – e.g., the role name should be assigned to {{ ec_name }}.

            Attachments

              Activity

              Ascending order - Click to sort in descending order
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              Notes:

              Show
              ann.loraine Ann Loraine added a comment - - edited Notes: https://github.com/ansible/ansible-modules-core/issues/2009 - iam_policy support for jinja templates
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              Add files containing policies to templates and files folders in appstore_s3 role folder.

              New task flow:

              • make bucket
              • block public permission to bucket (added in previous ticket – left "as is")
              • make IAM role for bucket; role is named for the bucket
              • add policy to the to IAM role giving full access to the bucket; policy is also named for the bucket
              • include role in EC2 creation task
              Show
              ann.loraine Ann Loraine added a comment - - edited Add files containing policies to templates and files folders in appstore_s3 role folder. New task flow: make bucket block public permission to bucket (added in previous ticket – left "as is") make IAM role for bucket; role is named for the bucket add policy to the to IAM role giving full access to the bucket; policy is also named for the bucket include role in EC2 creation task
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              To test, provision a control node within your AWS account.

              Then edit variables files as indicated in the documention.

              Then, run:

              • ansible-playbook setup.yml

              It should work in any AWS account, with one catch: S3 bucket names have to be unique. If you pick a bucket name that is the same as an existing one, the playbook will fail.

              Show
              ann.loraine Ann Loraine added a comment - - edited To test, provision a control node within your AWS account. Then edit variables files as indicated in the documention. Then, run: ansible-playbook setup.yml It should work in any AWS account, with one catch: S3 bucket names have to be unique. If you pick a bucket name that is the same as an existing one, the playbook will fail.

                People

                • Assignee:
                  ann.loraine Ann Loraine
                  Reporter:
                  ann.loraine Ann Loraine
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: