search

danilop / yas3fs

YAS3FS (Yet Another S3-backed File System) is a Filesystem in Userspace (FUSE) interface to Amazon S3. It was inspired by s3fs but rewritten from scratch to implement a distributed cache synchronized by Amazon SNS notifications. A web console is provided to easily monitor the nodes of a cluster.
http://danilop.github.io/yas3fs
MIT License
643 stars 98 forks source link

SNS subscription #57

Open icunningham opened 10 years ago

icunningham commented 10 years ago

Hi - First, may I say: Great work on yas3fs! I have formed some policies to restrict IAM roles suitably so that yas3fs can only access the nominated SNS ARNs, and also used the yas3fs SQS naming convention to restricts its SQS access for specific mounts. It's not perfect, but I do try to restrict as much as possible. In debugging, I notice that when unmounting, yas3fs sends an unsubscribe request to ARN * for SNS under the account, rather than sending a specific unsubscribe for the subscription created on mount. It may be that I'm seeing a mis-reported error, but if not, I wondered if this was for some reason(s) by design? It seems to currently require unsubscribe action permissions to ARN * for the account in question.

-ic

Jud commented 9 years ago

Just ran into this as well. The SNS unsubscribe permission is the only one that can't be tailored to a narrow IAM role.

Jaykah commented 9 years ago

Has encountered this too, I think that's ought to be added to README.

Adding a blanket unsubscribe for the sns resource solves the issue.

{
            "Sid": "yourpolicysid",
            "Effect": "Allow",
            "Action": [
                "sns:Unsubscribe"
            ],
            "Resource": [
                "arn:aws:sns:us-east-1:12345678901234:*"
            ]
        },