https://dev.arvados.org/https://dev.arvados.org/favicon.ico?15576888422020-12-16T17:27:52ZArvadosArvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=894842020-12-16T17:27:52ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Assigned To</strong> set to <i>Javier Bértoli</i></li></ul> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=896142021-01-06T17:00:03ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> changed from <i>2021-01-06 Sprint</i> to <i>2021-01-20 Sprint</i></li></ul> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=896472021-01-06T17:32:10ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Assigned To</strong> changed from <i>Javier Bértoli</i> to <i>Tom Clegg</i></li><li><strong>Category</strong> set to <i>Crunch</i></li><li><strong>Subject</strong> changed from <i>Investigate & document support for using AWS roles for keepstore and arvados-dispatch-cloud</i> to <i>Support AWS roles in arvados-dispatch-cloud</i></li><li><strong>Tracker</strong> changed from <i>Support</i> to <i>Feature</i></li></ul> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=896492021-01-06T17:33:07ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Related to</strong> <i><a class="issue tracker-6 status-3 priority-4 priority-default closed behind-schedule" href="/issues/16520">Idea #16520</a>: GxP Qualification</i> added</li></ul> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=896502021-01-06T17:33:27ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Assigned To</strong> changed from <i>Tom Clegg</i> to <i>Ward Vandewege</i></li></ul> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=899672021-01-19T18:45:31ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Target version</strong> changed from <i>2021-01-20 Sprint</i> to <i>2021-02-03 Sprint</i></li></ul> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=900502021-01-20T21:17:30ZWard Vandewegeward@curii.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>Ready for review at <a class="changeset" title="17215: add IAM role support to arvados-dispatch-cloud on EC2. Arvados-DCO-1.1-Signed-off-by: War..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/4c30d75e647f42318fd0069613b3ed4f82c70ea0">4c30d75e647f42318fd0069613b3ed4f82c70ea0</a> on branch 17215-aws-roles-a-d-c</p>
<p>Tested with an IAM role on tordo, it works.</p> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=900582021-01-21T15:55:46ZTom Cleggtom@curii.com
<ul></ul>There seem to be a couple of not-quite-obvious behaviors:
<ol>
<li>If the configured credentials are invalid (non-empty but unusable), it looks like the role will be used instead, which could produce surprising results if the operator isn't expecting it</li>
<li>If the configured credentials are valid, and the magic AWS env vars are invalid (non-empty but unusable), setup will fail -- even though the magic env vars wouldn't end up being used if they were valid (at least this is my impression after skimming the source code for session.NewSession())</li>
<li>It's not obvious to me what the error message will be for the "invalid credentials + no IAM role" case</li>
</ol>
<p>None of this seems wrong per se, but might be worth mentioning explicitly in config.default.yml that we will try the explicit credentials first, then fall back to IAM role.</p>
<p>Other than that minor thing, LGTM!</p> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=900672021-01-21T19:20:20ZWard Vandewegeward@curii.com
<ul></ul><p>Tom Clegg wrote:</p>
<blockquote>
There seem to be a couple of not-quite-obvious behaviors:
<ol>
<li>If the configured credentials are invalid (non-empty but unusable), it looks like the role will be used instead, which could produce surprising results if the operator isn't expecting it</li>
</ol>
</blockquote>
<p>Actually, no, if invalid credentials are specified in the config file, a-d-c prints the following type of error in the logs and does not try to use the next authentication method:</p>
<p>Jan 21 19:14:27 tordo.arvadosapi.com arvados-dispatch-cloud<sup><a href="#fn1424">1424</a></sup>: {"PID":1424,"error":"AuthFailure: AWS was not able to validate the provided access credentials\n\tstatus code: 401, request id: d32a9139-4827-480f-947f-151e7c449557","level":"warning","msg":"sync failed","time":"2021-01-21T19:14:27.969809836Z"}</p>
<p>If the credentials are <strong>empty</strong> (i.e. defined in config file but zero-length value), the role authentication method will be used.</p>
<blockquote>
<ol>
<li>If the configured credentials are valid, and the magic AWS env vars are invalid (non-empty but unusable), setup will fail -- even though the magic env vars wouldn't end up being used if they were valid (at least this is my impression after skimming the source code for session.NewSession())</li>
</ol>
</blockquote>
<p>AWS-specific environment values are a different method to supply authentication information, and we don't support that method. So we probably don't need to worry about this scenario.</p>
<blockquote>
<ol>
<li>It's not obvious to me what the error message will be for the "invalid credentials + no IAM role" case</li>
</ol>
</blockquote>
<p>See above, the IAM role does not come into play.</p>
<blockquote>
<p>None of this seems wrong per se, but might be worth mentioning explicitly in config.default.yml that we will try the explicit credentials first, then fall back to IAM role.</p>
</blockquote>
<blockquote>
<p>Other than that minor thing, LGTM!</p>
</blockquote> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=900742021-01-21T21:30:39ZTom Cleggtom@curii.com
<ul></ul><p>Aha. The "chain" thing looked like it might try each method until one worked. But evidently it does the more predictable thing. And, agreed, the env vars seem like they won't interfere with anything in practice. So... LGTM</p> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=900752021-01-21T21:31:19ZWard Vandewegeward@curii.com
<ul></ul><p>Tom Clegg wrote:</p>
<blockquote>
<p>Aha. The "chain" thing looked like it might try each method until one worked. But evidently it does the more predictable thing. And, agreed, the env vars seem like they won't interfere with anything in practice. So... LGTM</p>
</blockquote>
<p>Thanks will merge!</p> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=900762021-01-21T22:00:43ZWard Vandewegeward@curii.com
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul><p>Applied in changeset <a class="changeset" title="Merge branch '17215-aws-roles-a-d-c' closes #17215 Arvados-DCO-1.1-Signed-off-by: Ward Vandeweg..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/fbc95892b4b8cce3cba9ae024c252bd31146c714">arvados|fbc95892b4b8cce3cba9ae024c252bd31146c714</a>.</p> Arvados - Feature #17215: Support AWS roles in arvados-dispatch-cloudhttps://dev.arvados.org/issues/17215?journal_id=902752021-02-02T18:50:52ZWard Vandewegeward@curii.com
<ul><li><strong>Release</strong> set to <i>37</i></li></ul>