Actions
Feature #21751
openInstaller's Terraform code supports Customer-Managed Keys
Status:
In Progress
Priority:
Normal
Assigned To:
Category:
Deployment
Target version:
Story points:
-
Description
When enabling CMK on AWS, some special permissions need to be set in order for Arvados to work properly.
Compute nodes¶
Compute nodes need access to the keys so that the ebs-autoscale
feature can create EBS encrypted volumes correctly. Preliminary tests suggest that the following policy is enough:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id"
]
},
{
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": [
"arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
Cloud dispatcher¶
The a-d-c
service might need a similar policy so that it can launch compute nodes with their storage volumes encrypted by default.
This feature should be optional, and disabled by default. The CMK's ARN should be set in Terraform's tfvars
file.
Updated by Lucas Di Pentima about 1 month ago
- Status changed from New to In Progress
Updated by Peter Amstutz about 1 month ago
- Target version changed from Development 2024-05-22 sprint to Development 2024-06-05 sprint
Updated by Peter Amstutz 27 days ago
- Target version changed from Development 2024-06-05 sprint to Development 2024-06-19 sprint
Updated by Peter Amstutz 13 days ago
- Target version changed from Development 2024-06-19 sprint to Development 2024-07-03 sprint
Actions