kubeflow/testing

IAM as Code

PatrickXYS opened this issue · 5 comments

PatrickXYS commented

Basically, I think we need to enhance IAM as Code(IAC) to enable third-party users (kubeflow maintainers) to have ReadOnly Access to S3/ECR.

It can also save efforts in Optional-Test-Infra admin to check account resources back-and-forth.

So the way I want to move forward:

  1. Define one YAML file, which consists of maintainers who want to have ReadOnly access to Optional-Test-Infra's S3/ECR.
  2. Create IAM Group (Console-ReadOnly)
  3. Create Cloud Formation Template which creates an IAM user with pre-defined IAM Group (Console-ReadOnly), and takes as an input parameter defined by user: UserName.
  4. Create AWS Lambda function, trigger by CodeCommit push, and create a new IAM user through Cloud-Formation Template.
  5. User who added in the YAML file, after a few minutes, can log into the Optional-Test-Infra account console and check S3/ECR afterward.

Ref:

  1. CFN Template IAM Snippets: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
  2. CFN Template IAM User: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html
  3. Search IAM: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/sample-templates-services-us-west-2.html#w2ab1c35c58c13c17
  4. CFN Template Parameter: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html

/cc @theofpa @andreyvelich

PatrickXYS commented

This is not an urgent task, but definitely, a bonus point that can make external users happy.

PatrickXYS commented

After a few investigations, seems like AWS organizations and SSO service would be a good fit

PatrickXYS commented

Maybe we don't have to make access-granting process fully-automated, allow only Admins to run some pre-defined command should be fine.

https://docs.aws.amazon.com/cli/latest/reference/iam/update-assume-role-policy.html

k8s-ci-robot commented

@PatrickXYS: Closing this issue.

In response to this:

/close

Close in favor of https://github.com/kubeflow/testing/tree/master/aws/Access

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.