On Thu, May 28, 2020 at 02:03:44PM -0000, Andrei Stepanov wrote: > Hello Fedora infra! > > I am writing to ask for your guidance regarding how to best secure the rights > to manage AWS resources within AWS Fedora Federation. > If you don't mind, could you please help me to understand what the best way > to proceed would be? > > I would like to request that I be granted the necessary right in order to > manage AWS resources in a Fedora account. > So far, I have created an EKS cluster — but unfortunately, I cannot add any > compute nodes to it. Also, I can't seem to create other resources, either. > > If it would help, I can provide you with an example: > > ``` > User: arn:aws:sts::125523088429:assumed-role/aws-fedora-ci/astepano is not > authorized to perform: eks:TagResource on resource: > arn:aws:eks:us-east-1:125523088429:cluster/astepano > User: arn:aws:sts::125523088429:assumed-role/aws-fedora-ci/astepano is not > authorized to perform: eks:CreateNodegroup on resource: > arn:aws:eks:us-east-1:125523088429:cluster/astepano > ``` > > Could you please help me to figure out what the best way to proceed is? > It is very hard to predict which rights are necessary beforehand. > To give you a little bit of context, for example, I have the rights to manage > EKS/EC2 -- but as you can see, AWS denies to act on my EKS cluster. > Also, for example, it would be good to create a PVC/network to not collide > with testing-farm. > But unfortunately, I do not have the rights to create PVC/network/other > resources. > Also, for some fedora-ci projects EKS is not necessary, ECS/Fargate will be > enough. > I do not have rights to manage ECS/Fargate resources. > > It would help me a lot if you could please suggest a way to fix this problem. > I don't think that opening a new ticket for each denial would be the most > efficient or best approach — is there another good way that we could handle > this? > I appreciate your insight.
Well, I think it would be good to explain what you are trying to do first. I'm guessing setup a eks cluster for some purpose? We do have some policy already for that as testing-farm has been working on that. Things like pvc/networks we typically create for you instead of granting everyone ability to do that. :) I guess the best way forward is to have a ticket (which you already have done) and then explain what all you are trying to do/need, and then I find it best to setup a time to work on it interactively and get the permissions tuned to what you need to do. That goes much better than back and forth in a ticket or filing a bunch of tickets, IMHO. Also, it would be good to know your deadlines, as I am not sure how much time I can devote to this over the coming few weeks, since our datacenter move is coming up and I am spending all my time on that. Let us know and we can sort out how best to help you... Hope that makes sense. kevin
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
