Skip to content
This repository has been archived by the owner on Dec 16, 2024. It is now read-only.

Some IAM fixes that I found necessary to add / reinstate to get the toolkit working #7

Open
Analect opened this issue May 19, 2023 · 0 comments
Open

Some IAM fixes that I found necessary to add / reinstate to get the toolkit working #7

Analect opened this issue May 19, 2023 · 0 comments

Comments

@Analect
Copy link

Analect commented May 19, 2023

Describe the bug
Certain permissions are missing from iam.tf. It seems this PR tightened permissions available to different roles. However, I found in order to get things working, I need to reinstate some of these. I was using the deployment-scripts/quick-deploy.sh approach (rather than CodePipeline or Github Actions approaches).

To Reproduce
Steps to reproduce the behavior:

  1. Run bash deployment-scripts/quick-deploy.sh
  2. Initially I was getting Terraform errors akin to those raised over on this data-toolkit issue.
  3. With that fix in place, the CodePipeline was failing at various points due to access-denied in various different roles, depending on which part of the pipeline you were on.

Expected behavior
That the job would run through without issue.

Additional context

These were changes I had to make back to the iam.tf file:

# under `sagemaker_role_policy`, I added back in these, since otherwise it wasn't allowing pushing back training/inference files back to S3.
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject",

# under the `codepipeline_policy_document`, I added back these, as otherwise the pipeline wasn't instantiating, again for permissioning back to S3 issues.
"s3:Get*",
"s3:Put*",
"s3:List*"

I needed to add a Lambda and StepFunction section (also under  the `codepipeline_policy_document`) ... for Step Function part to work. These are hard-coded in for now, so I could get things working.

  statement {
    sid = "Lambda"

    actions = [
      "lambda:InvokeFunction"
    ]

    resources = [
      "arn:aws:lambda:eu-west-1:<account-id>:function:*"
    ]
  }

  statement {
    sid = "StepFunction"

    actions = [
      "states:StartExecution",
      "states:DescribeStateMachine",
      "states:DescribeExecution"
    ]

    resources = [
      "arn:aws:states:eu-west-1:<account-id>:stateMachine:ml-core-development-training-step-function",
      "arn:aws:states:eu-west-1:<account-id>:stateMachine:ml-core-development-inference-step-function",
      "arn:aws:states:eu-west-1:<account-id>:execution:ml-core-development-training-step-function:*",
      "arn:aws:states:eu-west-1:<account-id>:execution:ml-core-development-inference-step-function:*"
    ]
  }
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Analect