Hello Fedora infra!
I am writing to ask for your guidance regarding how to best secure the rights to manage AWS resources within AWS Fedora Federation. If you don't mind, could you please help me to understand what the best way to proceed would be?
I would like to request that I be granted the necessary right in order to manage AWS resources in a Fedora account. So far, I have created an EKS cluster — but unfortunately, I cannot add any compute nodes to it. Also, I can't seem to create other resources, either.
If it would help, I can provide you with an example:
``` User: arn:aws:sts::125523088429:assumed-role/aws-fedora-ci/astepano is not authorized to perform: eks:TagResource on resource: arn:aws:eks:us-east-1:125523088429:cluster/astepano User: arn:aws:sts::125523088429:assumed-role/aws-fedora-ci/astepano is not authorized to perform: eks:CreateNodegroup on resource: arn:aws:eks:us-east-1:125523088429:cluster/astepano ```
Could you please help me to figure out what the best way to proceed is? It is very hard to predict which rights are necessary beforehand. To give you a little bit of context, for example, I have the rights to manage EKS/EC2 -- but as you can see, AWS denies to act on my EKS cluster. Also, for example, it would be good to create a PVC/network to not collide with testing-farm. But unfortunately, I do not have the rights to create PVC/network/other resources. Also, for some fedora-ci projects EKS is not necessary, ECS/Fargate will be enough. I do not have rights to manage ECS/Fargate resources.
It would help me a lot if you could please suggest a way to fix this problem. I don't think that opening a new ticket for each denial would be the most efficient or best approach — is there another good way that we could handle this? I appreciate your insight.
--Andrei
On Thu, May 28, 2020 at 02:03:44PM -0000, Andrei Stepanov wrote:
Hello Fedora infra!
I am writing to ask for your guidance regarding how to best secure the rights to manage AWS resources within AWS Fedora Federation. If you don't mind, could you please help me to understand what the best way to proceed would be?
I would like to request that I be granted the necessary right in order to manage AWS resources in a Fedora account. So far, I have created an EKS cluster — but unfortunately, I cannot add any compute nodes to it. Also, I can't seem to create other resources, either.
If it would help, I can provide you with an example:
User: arn:aws:sts::125523088429:assumed-role/aws-fedora-ci/astepano is not authorized to perform: eks:TagResource on resource: arn:aws:eks:us-east-1:125523088429:cluster/astepano User: arn:aws:sts::125523088429:assumed-role/aws-fedora-ci/astepano is not authorized to perform: eks:CreateNodegroup on resource: arn:aws:eks:us-east-1:125523088429:cluster/astepano
Could you please help me to figure out what the best way to proceed is? It is very hard to predict which rights are necessary beforehand. To give you a little bit of context, for example, I have the rights to manage EKS/EC2 -- but as you can see, AWS denies to act on my EKS cluster. Also, for example, it would be good to create a PVC/network to not collide with testing-farm. But unfortunately, I do not have the rights to create PVC/network/other resources. Also, for some fedora-ci projects EKS is not necessary, ECS/Fargate will be enough. I do not have rights to manage ECS/Fargate resources.
It would help me a lot if you could please suggest a way to fix this problem. I don't think that opening a new ticket for each denial would be the most efficient or best approach — is there another good way that we could handle this? I appreciate your insight.
Well, I think it would be good to explain what you are trying to do first. I'm guessing setup a eks cluster for some purpose?
We do have some policy already for that as testing-farm has been working on that. Things like pvc/networks we typically create for you instead of granting everyone ability to do that. :)
I guess the best way forward is to have a ticket (which you already have done) and then explain what all you are trying to do/need, and then I find it best to setup a time to work on it interactively and get the permissions tuned to what you need to do. That goes much better than back and forth in a ticket or filing a bunch of tickets, IMHO.
Also, it would be good to know your deadlines, as I am not sure how much time I can devote to this over the coming few weeks, since our datacenter move is coming up and I am spending all my time on that.
Let us know and we can sort out how best to help you...
Hope that makes sense.
kevin
Kevin hello,
I should have explained this before. Sorry. Testing-Farm team and osci are from the same initiative. However, there is a distinction: 1. Testing-farm: runs actual test, and provides API for scheduling a test. Testing-farm does not: interpreters results, monitors new builds, etc. Testing-farm runs tests when they asked for. 2. osci part : is monitor and trigger/schedule test for testing-farm. Currently we have a few OpenShift projects at console.apps.ci.centos.org. That is very outdated OpenShift version. If possible we would like to host Jenkinses both on os.fedoraproject.org as well as on AWS. I will be happy to answer other questions if there are. We do not have strict deadlines, however this would help us move. Please let me know if there are more questions or how we can proceed further. Thank you.
infrastructure@lists.fedoraproject.org