Rationalize compute permissions and security model #145
Assignees
Comments
lukehoban
added a commit
that referenced
this issue
Oct 26, 2017
We now apply a Role for ECS Tasks using the same policies as our Lambda based compute. We will need to review these default policies per #145, but for now at least all our compute will be consistent on what it can/can't access.
|
Hitting this in the Learning Machine deployment, where we need to give |
|
@lukehoban thanks so much for adding |
|
Unfortunately, there's no fine-grained manage policy that allows |
joeduffy
added a commit
that referenced
this issue
Nov 3, 2017
This change exposes a getLoadBalancer function so that callers can
use it when wiring up other AWS infrastructure. For instance, we
need this in the customer stack to point the CDN at the web stack.
To access it, you can do, for example
import * as cloud from "@pulumi/cloud";
import * as awscloud from "@pulumi/cloud-aws";
let svc = new cloud.Service(...);
let lb = (svc as awscloud).getLoadBalancer();
I've tried to do this in the most elegant way possible, with the
caveat that this of course needs to be revisited as part of
#145 alongside the other similar things.
joeduffy
added a commit
that referenced
this issue
Nov 3, 2017
This change exposes a getLoadBalancer function so that callers can
use it when wiring up other AWS infrastructure. For instance, we
need this in the customer stack to point the CDN at the web stack.
To access it, you can do, for example
import * as cloud from "@pulumi/cloud";
import * as awscloud from "@pulumi/cloud-aws";
let svc = new cloud.Service(...);
let lb = (svc as awscloud).getLoadBalancer();
I've tried to do this in the most elegant way possible, with the
caveat that this of course needs to be revisited as part of
#145 alongside the other similar things.
joeduffy
added a commit
that referenced
this issue
Nov 3, 2017
This change exposes a getLoadBalancer function so that callers can
use it when wiring up other AWS infrastructure. For instance, we
need this in the customer stack to point the CDN at the web stack.
To access it, you can do, for example
import * as cloud from "@pulumi/cloud";
import * as awscloud from "@pulumi/cloud-aws";
let svc = new cloud.Service(...);
let lb = (svc as awscloud).getLoadBalancer();
I've tried to do this in the most elegant way possible, with the
caveat that this of course needs to be revisited as part of
#145 alongside the other similar things.
joeduffy
added a commit
that referenced
this issue
Nov 3, 2017
This change exposes a getLoadBalancer function so that callers can
use it when wiring up other AWS infrastructure. For instance, we
need this in the customer stack to point the CDN at the web stack.
To access it, you can do, for example
import * as cloud from "@pulumi/cloud";
import * as awscloud from "@pulumi/cloud-aws";
let svc = new cloud.Service(...);
let lb = (svc as awscloud).getLoadBalancer();
I've tried to do this in the most elegant way possible, with the
caveat that this of course needs to be revisited as part of
#145 alongside the other similar things.
|
We will likely more broadly re-consider some of the design approaches in this library - but at this point I don't think we need to track this specific issue by itself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to define our security and permissions model both at the general
@pulumi/cloudlevel, and as it needs to be implemented in@pulumi/cloud-aws(and others).Once we do lock things down more by default, we will also need to define how users who know they are on AWS can open up access explicitly through APIs.
The text was updated successfully, but these errors were encountered: