Migration job and deployment use the same service account

Question

Migration job and deployment use the same service account

Opened this issue a year ago · 1 comments

While the migration job probably needs schema update permissions, it seems like the OpenFGA deployment would only need data select, insert, update and delete permissions.

We'd like to be able to use separate ServiceAccounts and database URIs for the migration job and the deployment; we're using AWS with IAM RDS authentication (Postgres), so we'd want to be able to set PGPASSFILE and define the ServiceAccount externally to line up with the assumed IAM role.

Answer 1 · 2024-01-03T06:10:01.000Z

In addition to separating the ServiceAccounts and URLs, we'd also want the ability to specify extra volumes, volume mounts, and environment variables for the migration job.

(I'm willing to bring code)