search

kubeflow / testing

Test infrastructure and tooling for Kubeflow.
Apache License 2.0
63 stars 89 forks source link

IAM as Code #848

Closed PatrickXYS closed 3 years ago

PatrickXYS commented 3 years ago

Basically, I think we need to enhance IAM as Code(IAC) to enable third-party users (kubeflow maintainers) to have ReadOnly Access to S3/ECR.

It can also save efforts in Optional-Test-Infra admin to check account resources back-and-forth.

So the way I want to move forward:

  1. Define one YAML file, which consists of maintainers who want to have ReadOnly access to Optional-Test-Infra's S3/ECR.
  2. Create IAM Group (Console-ReadOnly)
  3. Create Cloud Formation Template which creates an IAM user with pre-defined IAM Group (Console-ReadOnly), and takes as an input parameter defined by user: UserName.
  4. Create AWS Lambda function, trigger by CodeCommit push, and create a new IAM user through Cloud-Formation Template.
  5. User who added in the YAML file, after a few minutes, can log into the Optional-Test-Infra account console and check S3/ECR afterward.

Ref:

  1. CFN Template IAM Snippets: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
  2. CFN Template IAM User: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
  3. Search IAM: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html#w2ab1c35c58c13c17
  4. CFN Template Parameter: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html

/cc @theofpa @andreyvelich

PatrickXYS commented 3 years ago

This is not an urgent task, but definitely, a bonus point that can make external users happy.

PatrickXYS commented 3 years ago

After a few investigations, seems like AWS organizations and SSO service would be a good fit

PatrickXYS commented 3 years ago

Maybe we don't have to make access-granting process fully-automated, allow only Admins to run some pre-defined command should be fine.

https://docs.aws.amazon.com/cli/latest/reference/iam/update-assume-role-policy.html

PatrickXYS commented 3 years ago

/close

Close in favor of https://github.com/kubeflow/testing/tree/master/aws/Access

k8s-ci-robot commented 3 years ago

@PatrickXYS: Closing this issue.

In response to [this](https://github.com/kubeflow/testing/issues/848#issuecomment-779389350): >/close > >Close in favor of https://github.com/kubeflow/testing/tree/master/aws/Access Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.