collaborator s3 upload permissions

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform

https://user-guide.modernisation-platform.service.justice.gov.uk

MIT License

679 stars 290 forks source link

collaborator s3 upload permissions #7800

Open wullub opened 2 weeks ago

wullub commented 2 weeks ago

User Story

As a mod platform customer I need to be able to give collaborators ONLY permissions to upload artifacts to s3 - in particular the mod-platform-image-artefact-bucket20230203091453221500000001 bucket inside core-shared-services-production. So that they can keep giving us software releases for oasys

https://mojdt.slack.com/archives/C01A7QK5VM1/p1724772031490929

Value / Purpose

This is essential for the continuing collaboration with capita and their software

Useful Contacts

DSO dev - William Gibbon, capita collaborator - Carl Last, oasys product manager - Howard Smith

Additional Information

No response

Definition of Done

[x] s3-operator or s3-uploader role created
[x] Carl Last (CarlDevCap) , Martin Hiorns (martinhiorns-capita) , Morgan Boniface (morgan-boniface) added as collaborators and given the role
[ ] Confirm a collaborator can upload to mod platform artifact bucket

dms1981 commented 1 week ago

Creating SSO roles can be seen here: https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/adding-a-new-sso-user-role.html

However, it's worth having a think about what we're doing here. This might be more of a modernisation-platform scope where we add this in our bootstrap code and create a role across the MP member accounts? Have a look at how collaborators presently assume a role in a member account and work out from there what's required to create a role scoped to S3.

sukeshreddyg commented 5 days ago

Created a new s3-upload role, added the requested collaborators, and informed William. Once the collaborators log into their member account (Oasys-development) using the S3 upload role, they must use the URL below to access the bucket.

https://eu-west-2.console.aws.amazon.com/s3/buckets/mod-platform-image-artefact-bucket20230203091453221500000001?region=eu-west-2&bucketType=general&tab=objects

Since this is cross-account access, they won’t be able to see the bucket directly from oasys-development. They must use the URL to upload or list objects. However, they can also upload objects directly using the CLI

richgreen-moj commented 4 days ago

@sukeshreddyg - I'm just reviewing the ticket. A couple of questions:

Has one of the collaborators tested this yet to confirm they are able to use it?
Would you consider adding an update in our documentation somewhere to explain the s3-upload role purpose? (e.g. here )