https://flyte.org logo
Title
s

Shannon Carey

05/12/2023, 11:39 PM
The doc advice about using
arn:aws:iam::aws:policy/AmazonS3FullAccess
is not really a secure approach… I am trying to figure out which Buckets and/or prefixes each component actually uses, and whether they need read or write. It seems like the
metadata-prefix
and
metadataStoragePrefix
stuff needs to be read/write from the control plane? What about the user tasks? They need read/write too… but can that be restricted to only certain paths that won’t interfere with the control plane? Is there any other detail about read/write & prefix needs at the component level? I see:
None of the Flyte control plane components would access the raw data.
So that helps. I assume that’s referring to the
rawoutput-prefix
setting.
k

Kevin Su

05/12/2023, 11:54 PM
correct.
metadata-prefix
-> control plane
rawoutput-prefix
-> data plane
s

Shannon Carey

05/13/2023, 12:51 AM
Yeah, how about read/write on various prefixes, and preventing user tasks from disrupting control plane?
k

Ketan (kumare3)

05/13/2023, 5:10 AM
You can do that
Please suggest updates
s

Shannon Carey

05/15/2023, 2:25 PM
I would if I knew how it worked 🙂
I’ll figure it out eventually