This is a follow-up to https://pagure.io/fedora-infrastructure/issue/8064. We need the DescribeSnapshotAttribute permission in order to correctly copy snapshot permissions when replicating across regions. See https://github.com/coreos/mantle/pull/1112 for details.
DescribeSnapshotAttribute
(As in #8064, ideally attached to the existing fcos-builds-* IAM accounts.)
can we update the definitions we have over here: https://github.com/coreos/fedora-coreos-pipeline/tree/master/docs/aws-iam-policies ?
once we do that we can then just ask infra to verify it matches what we have in those files and to report any differences.
OK, done!
Can you verify that the policy for the fcos-builds-* IAM accounts match https://raw.githubusercontent.com/coreos/fedora-coreos-pipeline/master/docs/aws-iam-policies/prod-account/fcos-upload-amis ?
fcos-builds-*
And that the prod-account-match-fcos-builds-bot group policy matches https://github.com/coreos/fedora-coreos-pipeline/blob/master/docs/aws-iam-policies/community-account/prod-account-match-fcos-upload-amis ?
prod-account-match-fcos-builds-bot
Thanks!
I don't have perms to do this one
But I can do this one since it's in the community account. Done!
I'll try and do this one this week...
Metadata Update from @kevin: - Issue assigned to kevin - Issue priority set to: Waiting on Assignee (was: Needs Review)
There was one permission there that was not in the current policy:
ec2:DescribeSnapshotAttribute
(as expected).
I have added it and they are now both identical!
:briefcase:
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.