cookiecutter-openedx / cookiecutter-openedx-devops

Open edX Tutor on Kubernetes implemented with Terraform
GNU Affero General Public License v3.0
42 stars 17 forks source link

Add Manual IAM Policy Templates to Documentation #25

Closed daniel-milemarker closed 1 year ago

daniel-milemarker commented 2 years ago

Is your feature request related to a problem? Please describe. When creating a new deployment, I must create two new IAM accounts manually. It would be great to know what permissions these accounts need. A Policy template would be nice to have in the documentation.

Describe the solution you'd like Add a Policy template to the documentation.

Describe alternatives you've considered Give it some permissions, let it fail. Give it more. (i.e. trial and error)

lpm0073 commented 2 years ago

The two IAM accounts: what are these for?

daniel-milemarker commented 2 years ago

@lpm0073 In this step https://github.com/lpm0073/cookiecutter-openedx-devops#i-add-your-secret-credentials-to-your-new-repository there are two AWS Keys that must be added but it is not clear what permissions are required.

lpm0073 commented 2 years ago

Guessing that you're referring to this key pair? Thus far I've been manually setting up an IAM account with 'admin' access. that obviously overshoots, but it works. To your point, we could reduce the attack surface by using terraform to automatically generate an IAM profile with the actual, more granular permissions required. It's a non-trivial list, which is why this remains pending. It'd be a great PR.

Screenshot 2022-11-21 at 11 44 22
daniel-milemarker commented 2 years ago

@lpm0073 that makes sense. There is also the SES keys right below that may or may not need SES Full Access. image

I will use Administrator and SESFullAccess for now and can try to work toward identifying what permissions are truly required. CloudTrail over time may give us some details as to what is actually required.

lpm0073 commented 2 years ago

i added the AWS_SES_IAM key pair solely as an example of any misc external service that might be included in your build-deploy workflow and that require credentials. You can disregard, unless you actually intend to connect AWS SES SMTP email service to your open edx installation, in which case the IAM key pair will be created for you automatically as part of the automated AWS SES service setup, and hence you'd just copy-paste them into your repo's repository secrets.