Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a cross account role to fetch S3 uploads #1319

Merged
merged 8 commits into from
Aug 15, 2023
Merged

Add a cross account role to fetch S3 uploads #1319

merged 8 commits into from
Aug 15, 2023

Conversation

mdial89f
Copy link
Collaborator

@mdial89f mdial89f commented Jul 24, 2023
edited
Loading

Story: Part of https://qmacbis.atlassian.net/browse/OY2-24549
Endpoint: https://d1hhfhcvoh41d3.cloudfront.net/

Details

This changeset adds a new service (cross-acct) that creates a single IAM role. This role is trusted to be assumed by the platform acct, and will be used to fetch S3 uploads cross acct.

Changes

  • New cross-acct service
  • Creates a single IAM role
  • IAM role allows s3:getObject on the uploadsBucket
  • the IAM role's trust policy trusts the corresponding platform acct (dev trusts dev, impl trust impl...)

Implementation Notes

  • This service can be deployed by dev branches, but to save unneeded cost and time I added a guard in deploy.sh which makes it so it will only deploy for develop, master, and production branches.

Test Plan

None.

@github-actions
Copy link

Endpoint URL - https://d1hhfhcvoh41d3.cloudfront.net

@mdial89f mdial89f merged commit e21a8b1 into develop Aug 15, 2023
4 of 5 checks passed
@mdial89f mdial89f deleted the cross branch August 15, 2023 13:38
mdial89f added a commit that referenced this pull request Sep 12, 2023
@mdial89f
Add a cross account role to fetch S3 uploads (#1319)
566b3cc 
* feat(cross-acct service):  Create a cross acct role for uploads

* correct names

* deps

* Add getobjecttagging perms so we can honor the clean tags
@mdial89f mdial89f mentioned this pull request Sep 12, 2023
Merged
mdial89f added a commit that referenced this pull request Sep 12, 2023
@mdial89f
Changes required for Mako (#1365)
9982d86 
* Add a source service to stream onemac data to kafka (#1292)

* Add a source service to stream data out of dynamo

* set the deploy to be conditional and honor the correct envs

* Add a cross account role to fetch S3 uploads (#1319)

* feat(cross-acct service):  Create a cross acct role for uploads

* correct names

* deps

* Add getobjecttagging perms so we can honor the clean tags
@Dark-Knight-1313 Dark-Knight-1313 mentioned this pull request Sep 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dark-Knight-1313 Dark-Knight-1313 Dark-Knight-1313 approved these changes

@kristin-at-theta kristin-at-theta Awaiting requested review from kristin-at-theta kristin-at-theta is a code owner

@bflynn-cms bflynn-cms Awaiting requested review from bflynn-cms bflynn-cms is a code owner

@hannasage hannasage Awaiting requested review from hannasage

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdial89f @Dark-Knight-1313