Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow upload package to S3 using the indicated role #405

Closed
tuukkamustonen opened this issue Oct 18, 2016 · 8 comments
Closed

Allow upload package to S3 using the indicated role #405

tuukkamustonen opened this issue Oct 18, 2016 · 8 comments

Comments

@tuukkamustonen
Copy link

tuukkamustonen commented Oct 18, 2016

Looks like Zappa uploads the artifact to S3 as current user instead of using the defined role?

With zappa_settings.json:

{
    "production": {
        "app_function": "linkportal.app",
        "s3_bucket": "musttu-zappa",
        "manage_roles": false,
        "role_name": "my-custom-role"
    }
}
14:09 $ zappa deploy production
Packaging project as zip...
Warning! Your project and virtualenv have the same name! You may want to re-create your venv with a new name, or explicitly define a 'project_name', as this may cause errors.
Uploading linkportal-production-1476788948.zip (7.2MiB)...
  0%|           | 0.00/7.54M [00:00<?, ?B/s]
Failed to upload linkportal-production-1476788948.zip to musttu-zappa/linkportal-production-1476788948.zip: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Unable to upload to S3. Quitting.

In our corporation, we users have only read-only permissions and we use assume-role to obtain more permissions when we need them.

@Miserlou
Copy link
Owner

The role_name is for the execution role of the remote Zappa function, the local role should be defined your aws credentials.

@Miserlou
Copy link
Owner

@tuukkamustonen
Copy link
Author

@Miserlou Thanks for the pointers. I am a bit lost here, though:

the local role should be defined your aws credentials.

By "local role", do you mean the roles/permissions bound to my user default authorization (determined as [default] in ~/.aws or as AWS_* env variables)? That is exactly the problem here - by default I only have read-only access to AWS. I guess I need to assume other role (with write access to S3 bucket), but in that case I need to know what permissions I need to attach to that role? At least uploading to S3 bucket...?

Also, could you clarify what are attach_policy and assume_policy files in config? If these are specified, will Zappa create them or what will actually happen... or, I didn't think/know that you can assume policies on-the-fly? Or, are attach_policy and assume_policy what is attached to created role if manage_roles is enabled?

@Miserlou
Copy link
Owner

Yeah, your local AWS credentials file. It assumes default by default, but you can specify a different one with "profile_name": "your-profile-name", in your zappa_settings.

You will always need to be able to upload to an S3 bucket to use Zappa, so I think creating the attaching the ability to do that for the local user is outside the scope of Zappa itself, you should simply have an account that has the ability to upload to a location in your code bucket, I don't see why that needs to be dynamic.

Re: the remote policy, discussion is still happening here: #244
If manage_roles is enabled, it will create them, either from the default, or from the user-supplied templates in those settings. That's all for remote settings though.

Make sense? Am I missing something?

@Miserlou
Copy link
Owner

Also possibly relevant: https://github.com/bjinwright/zops

@tuukkamustonen
Copy link
Author

Make sense? Am I missing something?

Yeah, it makes sense. So "local role" (=the default role/user/principal used) must have permissions listed in #244 (comment).

And zappa role (role_name) must have policies presented in #244 (comment). Those are the defaults, so there shouldn't be need to define custom attach_policy and assume_policy. Correct me if wrong.

I guess I got confused by this in bit in readme:

By default, the Zappa client will create and manage the necessary IAM policies and roles to DEPLOY and execute Zappa applications.

While actually Zappa will only create the role/policies needed to execute/run the applications. Deploying is done using credentials that you have active (profile_name).

Did I get it right now?

@Miserlou
Copy link
Owner

Yes. I will update the documentation to clarify that. Sorry for the confusion.

@tuukkamustonen
Copy link
Author

Alright, I think we are done here. Thanks for prompt support!

Miserlou pushed a commit that referenced this issue Oct 18, 2016
kalkehcoisa pushed a commit to kalkehcoisa/Zappa that referenced this issue Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants