Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
aws
- f
flat-insurance-25294
01/03/2020, 10:47 AMCan you later add new policies to said group without rewriting the old ones? - o
orange-australia-91292
01/03/2020, 11:26 AMwithout answering any of your questions, if you’re going to deal with a lot of policies be mindful of IAM limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html). Some of them are very low. Like, “Managed policies attached to an IAM group: 10”. - f
flat-insurance-25294
01/03/2020, 11:30 AMManaged policies are the policies that AWS creates right? What about custom policies?w- 2
- 5
- f
flat-insurance-25294
01/03/2020, 11:33 AMAre managed policies different than non-managed? I can’t find any info of non-managed policies - f
flat-insurance-25294
01/03/2020, 11:40 AMWould have been nice to be able to export entire AWS resources in export to use StackReference and get an entire object in a different stack. Like ACM or ECR. - o
orange-australia-91292
01/03/2020, 11:49 AMthere are two types of policies, managed and inline - o
orange-australia-91292
01/03/2020, 11:50 AMmanaged are the ones you find in the AWS console under “Policies”. it doesn’t matter who manages the policy, you or AWS. that’s managed - o
orange-australia-91292
01/03/2020, 11:50 AMinline are policies that you attach directly to the user - o
orange-australia-91292
01/03/2020, 11:52 AMinline policies are the “old” type of policy and kind of hidden. there’s a button that you need to click in the UI to get to them. but they can be quite useful due to those limits. - o
orange-australia-91292
01/03/2020, 11:53 AMif you check the limits, it says 10 managed per wtv, but inline is limited to the total number of characters instead of number of policies - o
orange-australia-91292
01/03/2020, 11:54 AMalso, managed policies per role/user can be increased if you ask. per group can’t - f
flat-insurance-25294
01/03/2020, 11:54 AMSo I supposed inlined policies on groups are basically unlimited ( well limited by characters) - o
orange-australia-91292
01/03/2020, 11:54 AMcheck the last two entries on that page - o
orange-australia-91292
01/03/2020, 11:55 AMI’m not sure if it counts spaces or not - f
flat-insurance-25294
01/03/2020, 11:55 AMWill have to figure this out later. At this stage, it essentially means max 10 clusters. That’s alright for now. - f
flat-insurance-25294
01/03/2020, 11:55 AMBecause a Policy can contain multiple statements right? 1 policy doesn’t mean 1 aws resource. 1 policy could mean a collection of ACL on a collection of resources? - f
flat-insurance-25294
01/03/2020, 11:55 AM1 policy could be Read S3 Write EKS Read RDS etc - o
orange-australia-91292
01/03/2020, 11:56 AMyeap - f
flat-insurance-25294
01/03/2020, 11:56 AMFair enough that should be sufficient for now. - f
flat-insurance-25294
01/03/2020, 11:56 AMThanks a bunch for clearing that up - o
orange-australia-91292
01/03/2020, 11:56 AMfor managed, you get a limit of 10, but each one can have > 6k characters. that’s a lot. but you have to be mindful of how you combine these things - o
orange-australia-91292
01/03/2020, 11:57 AMif you hit these limits at a later stage in development, it can be annoying. speaking from experience - o
orange-australia-91292
01/03/2020, 11:57 AMglad to help - f
flat-insurance-25294
01/03/2020, 11:58 AMWe want to spin up resources per branch. So a new pull request would spin up RDS, VPC, EKS, S3, Cloudfront. Create a policy and add them to a group. A developer in said group could then use their rights to check the RDS or create a kubeonfig for the EKS cluster, etc. Will also be creating “users” which are basically our Applications. For creating signed cookies on Cloudfront or upload files to S3. - f
flat-insurance-25294
01/03/2020, 11:58 AMI don’t want to use InstanceRoles or Roles for those things, rather work with acccess_keys and etc. - f
flat-insurance-25294
01/03/2020, 11:59 AMWant to make it as easy as possible for developer to spin up a dev environment. Using a few shared resources (like Route53 and ACM) but mostly isolated. - w
white-translator-96007
01/03/2020, 11:59 AMit is not recommended to use access keys that kind of purposes - w
white-translator-96007
01/03/2020, 12:00 PMif you are accessing inside AWS - f
flat-insurance-25294
01/03/2020, 12:01 PMWhat is recommended then? - o
orange-australia-91292
01/03/2020, 12:01 PMroles are preferred. also, a user can be part of max. 10 groups
Title
o
orange-australia-91292
01/03/2020, 12:01 PMroles are preferred. also, a user can be part of max. 10 groups
View count: 1