Create IAM Roles for OpenSearch Serverless Authentication

sjoshi-jpl commented 11 months ago

Create IAM roles for OpenSearch Serverless Authentication in MCP:

One Lambda Execution Role with AWSLambdaRole and AWSLambdaBasicExecutionRole permissions as well as the following Trust Policy. Model this role after the DUM service IAM role and revise permission (pds-nucleus-dum-lambda-api-gateway):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "lambda.amazonaws.com",
                    "apigateway.amazonaws.com",
            "cognito-identity.amazonaws.com"
                            ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

One master read role for all nodes and API read access with Deny All permissions and following Trust Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": [
                        "us-west-2:<identity-pool-id>"
                    ]
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

12 roles (one for each discipline node) with Deny All permissions and following Trust Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": [
                        "us-west-2:<identity-pool-id>"
                    ]
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

jordanpadams commented 11 months ago

@sjoshi-jpl should the information in this ticket be considered private? Or is it OK to keep here?

jordanpadams commented 8 months ago

@sjoshi-jpl status: Role mapping was not set correctly. MCP has been pinged to update the mapping so we can get moving. If that doesn't work, 😢

jordanpadams commented 8 months ago

@sjoshi-jpl what is the status of this ticket?

sjoshi-jpl commented 7 months ago

@sjoshi-jpl status: Role mapping was not set correctly. MCP has been pinged to update the mapping so we can get moving. If that doesn't work, 😢

@jordanpadams the role mapping looks correct. Did MCP raise a specific concern about role mapping?

sjoshi-jpl commented 7 months ago

@sjoshi-jpl what is the status of this ticket?

I have the Terraform created to create IAM roles and policies for MCP. I am currently working with Thomas to test this out for ECS Task Execution Role. This ticket is actually too broad in scope. Right now since all testing is in MCP Dev, we really only need 3 roles which are already created and working. The other roles won't be created until we move to MCP Ops.

Two options:

We can close this ticket for now (since Dev is already functional) and then I create a new ticket when we move to Ops.
Keep this ticket open until all roles are created. I can create the other roles in Ops account once ECS testing with Thomas is completed.

jordanpadams commented 7 months ago

I think we can close for now and create a new ticket when we need to deploy to ops.

NASA-PDS / registry

Create IAM Roles for OpenSearch Serverless Authentication #252