#8325 Please provide DescribeSnapshotAttribute permission for FCOS
Closed: Fixed 4 years ago by kevin. Opened 4 years ago by jlebon.

This is a follow-up to https://pagure.io/fedora-infrastructure/issue/8064. We need the DescribeSnapshotAttribute permission in order to correctly copy snapshot permissions when replicating across regions. See https://github.com/coreos/mantle/pull/1112 for details.


(As in #8064, ideally attached to the existing fcos-builds-* IAM accounts.)

once we do that we can then just ask infra to verify it matches what we have in those files and to report any differences.

Can you verify that the policy for the fcos-builds-* IAM accounts match https://raw.githubusercontent.com/coreos/fedora-coreos-pipeline/master/docs/aws-iam-policies/prod-account/fcos-upload-amis ?

I don't have perms to do this one

And that the prod-account-match-fcos-builds-bot group policy matches https://github.com/coreos/fedora-coreos-pipeline/blob/master/docs/aws-iam-policies/community-account/prod-account-match-fcos-upload-amis ?

But I can do this one since it's in the community account. Done!

I'll try and do this one this week...

Metadata Update from @kevin:
- Issue assigned to kevin
- Issue priority set to: Waiting on Assignee (was: Needs Review)

4 years ago

Can you verify that the policy for the fcos-builds-* IAM accounts match https://raw.githubusercontent.com/coreos/fedora-coreos-pipeline/master/docs/aws-iam-policies/prod-account/fcos-upload-amis ?

There was one permission there that was not in the current policy:

ec2:DescribeSnapshotAttribute

(as expected).

I have added it and they are now both identical!

:briefcase:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Login to comment on this ticket.

Metadata