Shannon Carey
05/12/2023, 11:39 PMarn:aws:iam::aws:policy/AmazonS3FullAccess
is not really a secure approach… I am trying to figure out which Buckets and/or prefixes each component actually uses, and whether they need read or write.
It seems like the metadata-prefix
and metadataStoragePrefix
stuff needs to be read/write from the control plane? What about the user tasks? They need read/write too… but can that be restricted to only certain paths that won’t interfere with the control plane? Is there any other detail about read/write & prefix needs at the component level?
I see:
None of the Flyte control plane components would access the raw data.So that helps. I assume that’s referring to the
rawoutput-prefix
setting.Kevin Su
05/12/2023, 11:54 PMmetadata-prefix
-> control plane
rawoutput-prefix
-> data planeShannon Carey
05/13/2023, 12:51 AMKetan (kumare3)
05/13/2023, 5:10 AMShannon Carey
05/15/2023, 2:25 PM