#9311 aws: fedora-ci access to s3 bucket request
Opened 8 days ago by astepano. Modified 7 days ago

Good day.

In context of fedora-ci initiative may we ask to have an access to s3 bucket please?
Currently we are deploying pipelines on AWS EKS: https://osci-jenkins-1.ci.fedoraproject.org/
We need to store artifacts and logs with easy way of maintenance.

I see there are two ways:

  1. Allow to user/fedora-ci-osci token create s3 buckets on demand. This would be preferable solution. From our side I promise to follow resource-tagging conventions. This approach would allow us to define necessary access rules to the resources.

  2. Create a bucket, with name fedora-ci-osci-01, than can be written from our aws-fedora-ci-resources, and RO for public.

I tried to create a s3 bucket:

  1. web-console with my credentials: aws-fedora-ci/astepano -> access denied
  2. with token using cli:
aws sts get-caller-identity                                                                                             
    "Arn": "arn:aws:iam::125523088429:user/fedora-ci-osci"
aws s3 mb s3://osci-01      
make_bucket failed: s3://osci-01 An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied

or

aws s3api create-bucket --bucket osci-01 --region us-east-1                                                           
An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied

No strict timeline. The earlier is the better. This would help us improve pipelines for fedora-ci testing.


Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops

8 days ago

So, we already set this up a while back with a bucket named 'fedora-ci-bucket'

Can you just use that one? or would you like a fedora-ci-osci-01 one?

Good day.

It seems the bucket is empty:

aws s3 ls s3://fedora-ci-bucket --recursive

aws s3 cp readme s3://fedora-ci-bucket/ 
upload: ./readme to s3://fedora-ci-bucket/readme        

I cannot find who exactly requested that bucket. Google search doesn't help

site:pagure.io 'fedora-ci-bucket'

If it is OK to use it sure, we can use it.

I tried to upload file with public read access. But it fails:

~ aws s3api put-object-acl --bucket fedora-ci-bucket --key readme --acl public-read
An error occurred (AccessDenied) when calling the PutObjectAcl operation: Access Denied

~ aws s3 rm s3://fedora-ci-bucket/readme
delete: s3://fedora-ci-bucket/readme

~ aws s3 cp readme s3://fedora-ci-bucket/ --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers 
upload failed: ./readme to s3://fedora-ci-bucket/readme An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

It seems we cannot put for public data.

Also, I am not very confident AWS user, how do we upload files to fedora-ci-bucket from fedora-ci resources? Is there way to do this without token? The point is: the token I have has power to modify all AWS resources, which is not safe.

Thank you for help.

I can add those perms to it. I thought it had s3* set on it for your role...

We could make another user/token with just s3 access if you like?

We could make another user/token with just s3 access if you like?

If this is the right way to upload files from ci-pipelines, than yes, could you please create a token with limited access to the s3 bucket. So we can use that token for managing s3 files.

I can add those perms to it. I thought it had s3* set on it for your role...
Please, if possible.

Thank you very much for helping, I appreciate you help.

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog