Actions
Feature #21751
openInstaller's Terraform code supports Customer-Managed Keys
Status:
New
Priority:
Normal
Assigned To:
Category:
Deployment
Target version:
Story points:
-
Description
When enabling CMK on AWS, some special permissions need to be set in order for Arvados to work properly.
Compute nodes¶
Compute nodes need access to the keys so that the ebs-autoscale
feature can create EBS encrypted volumes correctly. Preliminary tests suggest that the following policy is enough:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id"
]
},
{
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": [
"arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
Cloud dispatcher¶
The a-d-c
service might need a similar policy so that it can launch compute nodes with their storage volumes encrypted by default.
This feature should be optional, and disabled by default. The CMK's ARN should be set in Terraform's tfvars
file.
No data to display
Actions