Actions
Feature #21751
closed
Installer's Terraform code supports Customer-Managed Keys
Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Deployment
Target version:
Story points:
-
Release:
Release relationship:
Auto
Description
When enabling CMK on AWS, some special permissions need to be set in order for Arvados to work properly.
Compute nodes¶
Compute nodes need access to the keys so that the ebs-autoscale feature can create EBS encrypted volumes correctly. Preliminary tests suggest that the following policy is enough:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id"
]
},
{
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": [
"arn:aws:kms:us-east-1:1234567890:key/xxxxxx-kms-id"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
Cloud dispatcher¶
The a-d-c service might need a similar policy so that it can launch compute nodes with their storage volumes encrypted by default.
This feature should be optional, and disabled by default. The CMK's ARN should be set in Terraform's tfvars file.
Updated by 
Updated by 
Updated by
Actions