Project

General

Profile

Actions
Copy link

Feature #21751

open

Installer's Terraform code supports Customer-Managed Keys

Added by Lucas Di Pentima 12 days ago. Updated 11 days ago.

Status:
New
Priority:
Normal
Assigned To:
Lucas Di Pentima
Category:
Deployment
Target version:
Development 2024-05-22 sprint
Story points:
-

Description

When enabling CMK on AWS, some special permissions need to be set in order for Arvados to work properly.

Compute nodes

Compute nodes need access to the keys so that the ebs-autoscale feature can create EBS encrypted volumes correctly. Preliminary tests suggest that the following policy is enough:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:GenerateDataKey*" 
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id" 
            ]
        },
        {
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": [
                "arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id" 
            ],
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}

Cloud dispatcher

The a-d-c service might need a similar policy so that it can launch compute nodes with their storage volumes encrypted by default.

This feature should be optional, and disabled by default. The CMK's ARN should be set in Terraform's tfvars file.

Subtasks 1 (1 open0 closed)

Task #21757: ReviewNewBrett SmithActions

No data to display

Actions
Copy link

Also available in: Atom PDF