:wave: Can I get the some hints on the specific IA...
# flyte-deployment
t
👋 Can I get the some hints on the specific IAM access required s3 buckets for the "Flyte System" and "Flyte Users" (tasks)? I see in the EKS manual setup it includes this line:
Attach the
AmazonS3FullAccess
policy for now. S3 access can be tweaked later to narrow down the scope.
That's a bit too much access for me to grant to flyte in most accounts, so I'd like to pair that down. I see from the Opta IaC for flyte, both those categories are provided the Opta s3 "write" access alias, which seems to translate to this:
Copy code
"s3:GetObject*",
"s3:PutObject*",
"s3:DeleteObject*",
"s3:ListBucket"
Does that sound about right? It seems a little narrow, I would have expected to also include things like
AbortMultipartUpload
,
GetBucketAcl
, etc.
d
Hey Terence The reference implementation (built with Terraform) uses those permissions and it's been already tested: https://github.com/unionai-oss/deploy-flyte/blob/4c0665df0bf741b73a03d5ddb58d6af45555c33c/environments/aws/iam.tf#L6-L9