Closed jjacob7734 closed 1 year ago
jjacob7734
commented
1 year ago We will use LTAK. The LTAK consists of a key ID, secret key, and a new role that gives us access to the needed operations on SQS and S3. Access is locked down by CIDR/IP provided from Pleiades ADES-PBS, AWS ADES-K8s, MAAP ADE DIT and OPS, SOAMC factotum hosts. The key never expires, but there is a policy that requires a refresh once per year.
jjacob7734
commented
1 year ago We will use LTAK. The LTAK consists of a key ID, secret key, and a new role that gives us access to the needed operations on SQS and S3. Access is locked down by CIDR/IP provided from Pleiades ADES-PBS, AWS ADES-K8s, MAAP ADE DIT and OPS, SOAMC factotum hosts. The key never expires, but there is a policy that requires a refresh once per year.
MCP provides two ways to persistently provide access to AWS resources:
Routine Programmatic access is preferred for security reasons but we understand this is ahead of the curve for where a lot of legacy systems are at. https://caas.gsfc.nasa.gov/display/GSD1/Using+the+Kion+%28Formerly+CloudTamer%29+API+to+generate+AWS+Keys
Or
For LTAKs: https://caas.gsfc.nasa.gov/display/GSD1/Using+Long-Term+Access+Keys
Definition of Done: