The doc advice about using `arn:aws:iam::aws:polic...
# ask-the-community
s
The doc advice about using
arn:aws:iam::aws:policy/AmazonS3FullAccess
is not really a secure approach… I am trying to figure out which Buckets and/or prefixes each component actually uses, and whether they need read or write. It seems like the
metadata-prefix
and
metadataStoragePrefix
stuff needs to be read/write from the control plane? What about the user tasks? They need read/write too… but can that be restricted to only certain paths that won’t interfere with the control plane? Is there any other detail about read/write & prefix needs at the component level? I see:
None of the Flyte control plane components would access the raw data.
So that helps. I assume that’s referring to the
rawoutput-prefix
setting.
k
correct.
metadata-prefix
-> control plane
rawoutput-prefix
-> data plane
s
Yeah, how about read/write on various prefixes, and preventing user tasks from disrupting control plane?
k
You can do that
Please suggest updates
s
I would if I knew how it worked 🙂
I’ll figure it out eventually
128 Views