Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloud IAM Permission injection from the config #12

Closed
aktech opened this issue Jul 16, 2020 · 6 comments
Closed

Cloud IAM Permission injection from the config #12

aktech opened this issue Jul 16, 2020 · 6 comments
Labels
status: stale 🥖 Not up to date with the default branch - needs update type: enhancement 💅🏼 New feature or request

Comments

@aktech
Copy link
Member

aktech commented Jul 16, 2020

Currently there is no way to add cloud IAM permissions to the cluster or pods via the config file:

So for example, if you want to append permissions to this list, you can do that after the project is generated, but then you can auto update the QHub as it will override the custom changes you would make.

https://github.com/Quansight/qhub-ops/blob/e5dd52df558c2c4eb805594b6ae574f12e0986a1/qhub_ops/template/%7B%7B%20cookiecutter.repo_directory%20%7D%7D/infrastructure/gcp.tf#L22

One solution is to create a section in config.yml that adds permission which can be appended to the list.
@costrouc costrouc transferred this issue from Quansight/qhub-ops Aug 18, 2020
@github-actions
Copy link

This issue has been automatically marked as stale because there was no recent activity in 60 days. Remove the stale label or add a comment, otherwise, this issue will automatically be closed in 7 days if no further activity occurs.

@github-actions github-actions bot added the status: stale 🥖 Not up to date with the default branch - needs update label Jun 10, 2021
@brl0 brl0 mentioned this issue Jun 11, 2021
Closed
@brl0
Copy link
Contributor

brl0 commented Jun 11, 2021

IIUC, I think this would be useful.

@github-actions github-actions bot removed the status: stale 🥖 Not up to date with the default branch - needs update label Jun 15, 2021
@viniciusdc
Copy link
Contributor

@aktech @costrouc Have we fixed that within the latest releases?

@viniciusdc viniciusdc added the type: enhancement 💅🏼 New feature or request label Jul 27, 2021
@brl0
Copy link
Contributor

brl0 commented Jul 27, 2021

No, it hasn't been fixed yet, since we just had to deal with this again on a new deployment. Here is the documentation on what needs to be done following deployment to give IAM users access to the cluster: https://aws.amazon.com/premiumsupport/knowledge-center/eks-kubernetes-object-access-error/

As @aktech suggested, I think a section for adding IAM users in the config file would be great.
Something maybe like:

amazon_web_services:
  ...
  iam_users:
    arn:aws:iam::XXXXXXXXXXXX:user/testuser1
    arn:aws:iam::XXXXXXXXXXXX:user/testuser2

I guess another alternative could be to add a field to the users section:

security:
  ...
  users:
    example-user:
      primary_group: admin
      secondary_groups:
      - users
      uid: 1000
      arn: arn:aws:iam::XXXXXXXXXXXX:user/testuser1

@github-actions
Copy link

github-actions bot commented Oct 5, 2021

This issue has been automatically marked as stale because there was no recent activity in 60 days. Remove the stale label or add a comment, otherwise, this issue will automatically be closed in 7 days if no further activity occurs.

@github-actions github-actions bot added the status: stale 🥖 Not up to date with the default branch - needs update label Oct 5, 2021
@github-actions
Copy link

This issue was closed because it has been stalled for 7 days with no activity.

@kcpevey kcpevey mentioned this issue Jun 27, 2022
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: stale 🥖 Not up to date with the default branch - needs update type: enhancement 💅🏼 New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aktech @laisbsc @brl0 @tylerpotts @viniciusdc