The doc advice about using `arn aws iam aws policy AmazonS3F

Question

The doc advice about using `arn aws iam aws policy AmazonS3FullAccess` is not really a secure approach I am trying to figure out which Buckets and or prefixes each component actually uses and whether they need read or write It seems like the `metadata prefix` and `metadataStoragePrefix` stuff needs to be read write from the control plane What about the user tasks They need read write too but can that be restricted to only certain paths that won t interfere with the control plane Is there any other detail about read write amp prefix needs at the component level I see gt None of the Flyte control plane components would access the raw data So that helps I assume that s referring to the `rawoutput prefix` setting

Kevin Su · Answer

correct `metadata prefix` gt control plane `rawoutput prefix` gt data plane

Shannon Carey · Answer

Yeah how about read write on various prefixes and preventing user tasks from disrupting control plane

Ketan (kumare3) · Answer

You can do that

Ketan (kumare3) · Answer

Please suggest updates

Shannon Carey · Answer

I would if I knew how it worked slightly smiling face

Shannon Carey · Answer

I ll figure it out eventually