New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate setting "Requester Pays" on the cache S3 bucket #277
Comments
I suspect Fastly could be made to work using something similar to https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket to authenticate requests with foundation-owned credentials. |
Suggested pre-rollout plan:
For the actual rollout, I need to look into what options Fastly provides for gradual rollouts of service config changes. If we're fine with short interruptions of service and we're confident in the rollback procedure we could also just globally push the change and monitor (I don't really expect that this change would cause any non-binary issues - it's either it works or it doesn't...). There might be broken pieces to pick up after the fact if other parts of the infra relied on anonymous S3 bucket access, which will break. Channel scripts would be my best guess. We should audit beforehand, but I don't think it's necessarily worth trying to run them against a test environment - we can always fix them after the fact (at a small cost to channel bump latency) or rollback. @zimbatm if you're fine with me leading this I'll need Fastly access. Can you provision this? |
Sounds good. I also need to give you access to the Terraform bucket. Once you get Fastly to a point where it's authenticated against S3, we can toggle it on/off with no problem. I'm also going to do an announce on Discourse to warn people of the change. |
Initial research using my personal S3/Fastly accounts:
Result: I've got s3://delroth-test-bucket set to Requester Pays + world readable. https://test-bucket.delroth.net/index.html is fronted by Fastly and works fine, authenticated with an IAM user that has no permissions. Direct unauth'd bucket access fails: https://delroth-test-bucket.s3.us-east-1.amazonaws.com/index.html but S3 CLI access works for a user with no permissions. Conclusions:
|
Draft comms. Feel free to use as is / edit as you want, or I can post it myself if it looks good to you. Disabling anonymous direct S3 access to the NixOS cacheIf you are not maintaining software which uses AWS S3 directly to access the NixOS cache contents, you can stop reading now. This does not impact any access through the cache CDN, e.g. https://cache.nixos.org/ and does not impact Nix/NixOS end-users. The NixOS cache is hosted on Amazon S3 and its contents are publicly readable to anyone. However, any access to the cache currently results in costs to the NixOS Foundation. We've recently noticed that this might be representing a non-trivial portion of the infrastructure costs. As a countermeasure, we will be implementing the following change:
This change will take effect on: 2023-10-XX. Summary of actions required:
|
I've got the Fastly setup working on cache-staging.nixos.org - next steps:
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/disabling-anonymous-direct-s3-access-to-the-nixos-cache/34697/1 |
The NixOS cache S3 bucket is currently publicly accessible. However, the foundation gets charged for any access to that publicly accessible bucket (bandwidth when not accessed from AWS us-east, and ops always). This has the following problems (non exhaustive list):
AWS supports a feature called "Requester Pays" for public S3 buckets, which charges the cost of the request (bandwidth + ops) to the requester. The requester needs to authenticate their request to the bucket so charges can be accounted properly, but otherwise the contents are still publicly readable.
It's currently unclear whether this can be made to work with Fastly - for example, whether a bucket can be both "Requester Pays" for unknown users, and "Owner Pays" (current config) for certain identities. This would need some digging into AWS docs, or asking someone who knows more about S3 settings :)
The text was updated successfully, but these errors were encountered: