👋 Can I get the some hints on the specific IAM access required s3 buckets for the "Flyte System" and "Flyte Users" (tasks)? I see in the EKS manual setup it includes this line:

Attach the

AmazonS3FullAccess

policy for now. S3 access can be tweaked later to narrow down the scope.

That's a bit too much access for me to grant to flyte in most accounts, so I'd like to pair that down. I see from the Opta IaC for flyte, both those categories are provided the Opta s3 "write" access alias, which seems to translate to this:

"s3:GetObject*",
"s3:PutObject*",
"s3:DeleteObject*",
"s3:ListBucket"

Does that sound about right? It seems a little narrow, I would have expected to also include things like

AbortMultipartUpload

,

GetBucketAcl

, etc.

Hey Terence The reference implementation (built with Terraform) uses those permissions and it's been already tested: https://github.com/unionai-oss/deploy-flyte/blob/4c0665df0bf741b73a03d5ddb58d6af45555c33c/environments/aws/iam.tf#L6-L9