Python API to attach AWS account?

[mrocklin]

We recently added the ability to run Coiled workloads on users' AWS accounts (still in sandbox). The current workflow here is that a user follows documentation to construct an IAM role with the right permissions, and then provides the secret/key of that role in the cloud.coiled.io web interface. This feels like a user experience that will be familiar to folks with some AWS / IT knowledge.

I'm curious if we want to provide a Python API for this as well. This API would use boto locally with whatever credentials the user has on their machine to construct the IAM role, give it the right permissions, request the secret/key, and then ship that to Coiled. It would have to print many things to the screen, have confirmations, and so on to make sure that the user understood what we were doing. For a class of user (I'm thinking mainly of myself here) this would be a more ergnomic experience.

Good idea? Bad idea? cc @necaris

[necaris]

@mrocklin note that right now, if a user has sufficiently privileged AWS credentials, they can just be dropped in to the fields on the account page and everything will be dynamically created on first cluster launch. If you are, for example, the root user on a sub-account for your academic department, this will just work.

It seems like you're you thinking of a sort of "wizard" experience? I also created an internal issue to provide a nicer experience around it in the web UI, so these could be related: https://github.com/coiled/cloud/issues/963

[mrocklin]

Yeah, I'm mostly thinking about the user who isn't comfortable building an IAM role on their own, but you're right that that user will likely be more tolerant to just dropping in an admin role and that users who want a carefully crafted role are more likely to be those who are comfortable with this process. I think that it's still worth thinking about how users provide credentials to different resources (AWS, Azure, Kubernetes) through the Python API, but this can be dropped short term I think.

On Fri, Oct 16, 2020 at 12:42 PM Rami Chowdhury notifications@github.com wrote:

@mrocklin https://github.com/mrocklin note that right now, if a user has sufficiently privileged AWS credentials, they can just be dropped in to the fields on the account page and everything will be dynamically created on first cluster launch. If you are, for example, the root user on a sub-account for your academic department, this will just work.

It seems like you're you thinking of a sort of "wizard" experience? I also created an internal issue to provide a nicer experience around it in the web UI, so these could be related: coiled/cloud#963 https://github.com/coiled/cloud/issues/963

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/coiled/coiled-issues/issues/82#issuecomment-710500750, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACKZTD2R5WCWDVITLHGGGLSLCO33ANCNFSM4SSPRKRA .

[shughes-uk]

Resolved by @ntabris 🥂