Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add more IAM Actions based on needs for aibs-informatics-workflows. #8

Merged
merged 2 commits into from
May 30, 2024

Conversation

sheriferson
Copy link
Contributor

Actions added below for services brought up in aibs-informatics-workflows.

I also added a docstring to make explicit that the actions are not complete read/write actions for each service, just based on the things we've needed so far.

I did this as suggested in feedback for https://github.com/AllenInstitute/aibs-informatics-workflows/pull/1, although I am slightly torn on the approach since this means that if we add actions to the read or write lists for a service, all users of that list get the added permissions even if they don't need them, but I get that's a tradeoff between convenience and absolute strictness with provided permissions.

@sheriferson sheriferson requested review from rpmcginty and njmei May 28, 2024 23:53
@@ -78,6 +123,23 @@
"ecr:UntagResource",
]


KMS_READ_ACTIONS = [
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add constants in alphabetical order?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that not everything is ordered alphabetically, but it would be helpful if you tried to order. even better if you ordered others by alphabet and type of constant (action lists vs policy variables)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried to alphabetize and reorganize the file. Let me know if that does what you were requesting.

*KMS_READ_ACTIONS,
*KMS_WRITE_ACTIONS,
]

ECR_FULL_ACCESS_ACTIONS = [*ECR_READ_ACTIONS, *ECR_WRITE_ACTIONS, *ECR_TAGGING_ACTIONS]

ECS_READ_ACTIONS = ["ecs:DescribeContainerInstances"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will override what you have specified above

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, thanks for catching that. Perfect example of why alphabetization helps.

@@ -78,6 +123,23 @@
"ecr:UntagResource",
]


KMS_READ_ACTIONS = [
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that not everything is ordered alphabetically, but it would be helpful if you tried to order. even better if you ordered others by alphabet and type of constant (action lists vs policy variables)

@sheriferson sheriferson merged commit 9166d25 into main May 30, 2024
4 checks passed
@sheriferson sheriferson deleted the add_more_iam_actions branch May 30, 2024 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants