Closed Bug 1299183 Opened 8 years ago Closed 8 years ago

Expose S3 bucket to Telemetry team [Stage environment]

Categories

(Cloud Services Graveyard :: Metrics: Pipeline, defect)

Product:
Cloud Services Graveyard
Component:
Metrics: Pipeline
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: peterbe, Unassigned)

References

Details

Attachments

(1 file)

[emr-bootstrap-spark] mreid-moz:read_crash_bucket > mozilla:master
54 bytes, text/x-github-pull-request
Details | Review 
We have an S3 bucket that needs to be exposed/granted to the Telemetry team (led by Mark Reid) so he can point his tools to suck down its content. 

The bucket is located in Oregon ("us-west-2"?) and it's called org-allizom-telemetry-crashes

JP, cc'ed, is the master of our IAM and best to direct technical questions to.
Blocks: 1290225
Mark, how can I transfer creds to you?  Lastpass?
:jp for this we want to have a bucket policy that allows access from the dev IAM, something like:

{
	"Version": "2008-10-17",
	"Statement": [
		{
			"Sid": "MozSvcDevAccountAccessList",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::927034868273:root"
			},
			"Action": [
				"S3:ListBucket",
				"S3:GetBucketLocation"
			],
			"Resource": "arn:aws:s3:::__S3_BUCKET__"
		},
		{
			"Sid": "MozSvcDevAccountAccessGet",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::927034868273:root"
			},
			"Action": "S3:Get*",
			"Resource": "arn:aws:s3:::__S3_BUCKET__/*"
		}
	]
}

927034868273 is the correct account number to use.

Once that's in place, :mreid we'll need to update the atmo instance IAM role to also have read access to the same bucket.
Fair, we can do it like that.  In socorro-land we've generally granted by IAM group rather than bucket policy, but since we're tying into an existing system, that is much nicer.
Cool, please let me know when this is in effect on the socorro side so I can add the read policy on the telemetry side.
I've setup the bucket policy, so we should be set to update the IAM role.
Setting needinfo so it flags it for ya.  Thanks!
Flags: needinfo?(mreid)
r=whd.

Access is working. Example notebook:
https://gist.github.com/mreid-moz/31ac995e3180c156db61e5f1c0ee745b
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(mreid)
Resolution: --- → FIXED
Blocks: 1314252
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: