Open wullub opened 2 weeks ago
Creating SSO roles can be seen here: https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/adding-a-new-sso-user-role.html
However, it's worth having a think about what we're doing here. This might be more of a modernisation-platform
scope where we add this in our bootstrap code and create a role across the MP member accounts? Have a look at how collaborators presently assume a role in a member account and work out from there what's required to create a role scoped to S3.
Created a new s3-upload
role, added the requested collaborators, and informed William. Once the collaborators log into their member account (Oasys-development) using the S3 upload role, they must use the URL below to access the bucket.
Since this is cross-account access, they won’t be able to see the bucket directly from oasys-development
. They must use the URL to upload or list objects. However, they can also upload objects directly using the CLI
@sukeshreddyg - I'm just reviewing the ticket. A couple of questions:
Has one of the collaborators tested this yet to confirm they are able to use it?
Would you consider adding an update in our documentation somewhere to explain the s3-upload
role purpose? (e.g. here )
User Story
As a mod platform customer I need to be able to give collaborators ONLY permissions to upload artifacts to s3 - in particular the mod-platform-image-artefact-bucket20230203091453221500000001 bucket inside core-shared-services-production. So that they can keep giving us software releases for oasys
https://mojdt.slack.com/archives/C01A7QK5VM1/p1724772031490929
Value / Purpose
This is essential for the continuing collaboration with capita and their software
Useful Contacts
DSO dev - William Gibbon, capita collaborator - Carl Last, oasys product manager - Howard Smith
Additional Information
No response
Definition of Done