Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

The doc advice about using `arn:aws:iam::aws:policy/AmazonS3FullAccess` is not really a secure approach… I am trying to figure out which Buckets and/or prefixes each component actually uses, and whether they need read or write.

It seems like the `metadata-prefix` and `metadataStoragePrefix` stuff needs to be read/write from the control plane? What about the user tasks? They need read/write too… but can that be restricted to only certain paths that won’t interfere with the control plane? Is there any other detail about read/write &amp; prefix needs at the component level?

I see:
&gt; None of the Flyte control plane components would access the raw data.
So that helps. I assume that’s referring to the `rawoutput-prefix` setting.

correct.
`metadata-prefix` -&gt; control plane
`rawoutput-prefix` -&gt; data plane

Yeah, how about read/write on various prefixes, and preventing user tasks from disrupting control plane?

I would if I knew how it worked :slightly_smiling_face: