On Mon, Nov 07, 2016 at 08:23:10AM +0000, Marcin Kulisz wrote: > That's true but there is a bit which makes me quite uncomfortable to be > precise it's that to do all this stuff from within Debian infra we need to > keep > AWS IAM keys on it with permissions for spinning up and down instances etc.
Yes. The keys would need to be associated with a role granted access to the following API calls: * Run instance * Describe instance * Create volume * Attachh volume * Create snapshot * Describe snapshot * Register AMI * Terminate instance I'm not sure what facilities are provided on debian.org machines for managing access to sensitive material such as IAM credentials in an automated way. > From my conversation with JEB kind of vision emerged that we could have > combination of api gateway and lambda listening on the api point and those > would spin up instance with Pettersson ssh key (public part ofc) and specific > IAM role on it to allow to do DD and all AWS related dance. Once whole process > is done it'll just destroy AWS instance and wait for the next build. > Clean and neat use of "the cloud" I'd say. My recollection from the sprint is that we agreed that we'd like to build the images on official Debian infrastructure to the extent possible, which is why I proposed that workflow. However, I agree that there are alternatives that make use of some of the other AWS services such as Lambda, KMS, etc. noah
signature.asc
Description: PGP signature