Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow access to multiple s3 buckets from the hub #1455

Closed
yuvipanda opened this issue Jun 23, 2022 · 6 comments
Closed

Allow access to multiple s3 buckets from the hub #1455

yuvipanda opened this issue Jun 23, 2022 · 6 comments
Assignees
@yuvipanda

Comments

@yuvipanda
Copy link
Member

Context

From https://2i2c.freshdesk.com/a/tickets/149,

We have some folks wanting to connect to existing buckets in other AWS accounts (s3://eis-dh-hydro).

In the past we gave groups our service account identifier (arn:aws:iam::783380859522:role/jovyan-serviceaccount) to get permissions, and if I remember correctly I had to also add permissions to the service account policy...

What is the service account identifier I should use? Can I modify the necessary config, or do I need a 2i2c engineer to modify the policy?

Proposal

No response

Updates and actions

No response
@yuvipanda
Copy link
Member Author

Tried to just grant access to the role specified in

infrastructure/terraform/aws/buckets.tf

Line 46 in 5951fb6

aws_iam_role.irsa_role[each.value.hub_name].arn
but that didn't work.

@choldgraf
Copy link
Member

Can you flesh out the issue title? It is unclear what "different" refers to...is it scratch buckets?

@yuvipanda yuvipanda changed the title Allow access to different Allow access to multiple s3 buckets from the hub Jun 23, 2022
@yuvipanda
Copy link
Member Author

@choldgraf no idea how those words went missing! Fixed

@scottyhq
Copy link
Contributor

I’ll have to loop you into the emails with the NASA account admin to double check the settings on their end...

Last year we also had to add explicit permissions to the hub service account policy, see here https://github.com/snowex-hackweek/jupyterhub/blob/main/terraform/eks/s3-data-bucket.tf

Could also test with the following requester-pays bucket. I have no problem accessing this with full S3 permissions on my own AWS account, but from the snowex hub it is permission denied.

aws s3 ls --request-payer requester s3://usgs-landsat/collection02/

@scottyhq
Copy link
Contributor

Just noting that aws_iam_role.irsa_role[each.value.hub_name].arn ->

infrastructure/config/clusters/uwhackweeks/snowex.values.yaml

Line 4 in 5951fb6

eks.amazonaws.com/role-arn: arn:aws:iam::740010314650:role/uwhackweeks-snowex

..rather than adding each specific bucket though it seems like all S3 list,read permissions could be default (just exclude permissions to create and delete buckets)?

yuvipanda added a commit to yuvipanda/pilot-hubs that referenced this issue Jun 30, 2022
@yuvipanda
Add ability to grant hub users extra IAM permissions
e287adb 
- Helpful to grant users on a given hub extra IAM permissions,
  such as S3 access, db access, etc.
- Grant access to two S3 buckets for the SnowEx hackathon based
  on request

Ref 2i2c-org#1455
@yuvipanda yuvipanda mentioned this issue Jun 30, 2022
Merged
@yuvipanda
Copy link
Member Author

Fixed by #1488

@damianavila damianavila mentioned this issue Oct 14, 2022
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuvipanda yuvipanda

Labels
None yet
Projects
No open projects
DEPRECATED Engineering and Product Backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuvipanda @choldgraf @scottyhq