Create Bucket-Limited Tokens for Each S3-Backed Volume Mount #28
Labels
No labels
availability
bug
deployment-usability
duplicate
enhancement
help-wanted
question
security
stack-auth
stack-chat
stack-cleanup
stack-git
stack-mesh
stack-site-support
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Depends on
#24 Configs/Secrets Bootstrapping & Management
python-support/python-support-infra
Reference: python-support/python-support-infra#28
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
We already create a dedicated S3 bucket each time an S3-backed volume is requested. However, currently, for simplicity, they all share one read-write token set which works for all buckets.
Not just each bucket, but each host's mount of each bucket, really ought to have its own dedicated token as well. For example, a host using a
readonly
-mountedrclone
filesystem should only be given a read-only token set (ex. a #14 scheme), but the one host that needs the read-writerclone
filesystem should instead be given a read-write token set.Realizing this requires #24 to be tenable:
deploy_volume_s3
.password-store
(again, when they don't yet exist, or are expired) as a hot-path config, as described in #24.