https://pulumi.com logo
Powered by
h

helpful-advantage-49286

03/06/2019, 11:38 PM
What is the right way tofile a ‘not sure how this happened, but this seems super bad’ bug that has some data in it that i’d prefer not to expose?
c

creamy-potato-29402

03/06/2019, 11:39 PM
@helpful-advantage-49286 I’ve seen this too but I wasn’t sure if I accidentally did this to myself somehow from the console. I ran 
refresh
and then 
up
again and it figured itself out.
but cc @white-balloon-205 and @stocky-spoon-28903
But only on GCP.
h

helpful-advantage-49286

03/06/2019, 11:39 PM
So definitely didn’t happen for us
c

creamy-potato-29402

03/06/2019, 11:39 PM
I’ve never seen this on AWS.
what happens when you run 
refresh
?
h

helpful-advantage-49286

03/06/2019, 11:39 PM
Oh, I mean we fixed it manually in the console
but this was 2 days of the k8s cluster being unable to talk to the container registry so deploys would fail
c

creamy-potato-29402

03/06/2019, 11:40 PM
So you didn’t get the opportunity to run 
refresh
at all?
h

helpful-advantage-49286

03/06/2019, 11:40 PM
Actually I dunno that we even ran a refresh/up in that stack
lemme try it in the identity stack
c

creamy-potato-29402

03/06/2019, 11:40 PM
oh
oh this was a different stack.
h

helpful-advantage-49286

03/06/2019, 11:41 PM
yah, sorry, so we have a stack that broke the roles
and then another stack that was running refresh, so I am confused
c

creamy-potato-29402

03/06/2019, 11:42 PM
What kind of IAM APIs are you using? Bindings are different and non-deleterious.
h

helpful-advantage-49286

03/06/2019, 11:42 PM
But, issue still happened
Bindings
c

creamy-potato-29402

03/06/2019, 11:42 PM
mm
I forget what the API is, but one of them (like AWS) is an API that will delete other policies bound to a role
h

helpful-advantage-49286

03/06/2019, 11:43 PM
Its a call to SetIamPolicy that caused the editor role to be nuked off of unrelated accounts
like the main service account/etc
I have to run to a meeting, but will check the thread when I get back!
c

creamy-potato-29402

03/06/2019, 11:43 PM
alright
s

stocky-spoon-28903

03/07/2019, 12:27 AM
Re reporting: feel free to send it to either me or @white-balloon-205 , with whatever you feel needs redacting removed
h

helpful-advantage-49286

03/07/2019, 2:18 AM
I dont think it needs to be redacted from y’all, just not sure I wanna paste the payload into github issues!
will paste you
s

stocky-spoon-28903

03/07/2019, 3:39 PM
@helpful-advantage-49286 Ack, I have it
Is there any more info? (i.e. the program etc or any background on what was expected etc)
h

helpful-advantage-49286

03/07/2019, 6:06 PM
It was a pretty typical gcp identity stack
I can send that to you privately
it is based on the k8s tutorial
Powered by