1394028 - [tecken infra] switch to using existing symbols buckets in webeng for stage/prod

Status: RESOLVED FIXED

(Socorro :: Symbols, task)

Description

[Miles Crabill [:miles]]

Peter and I discussed what to do about symbols/tecken buckets in bug 1361503. Our conclusion was to do what we did for antenna: create a user account in mozilla-webeng that the symbols/tecken instances in cloudops stage/prod can use to access the stage/prod symbols buckets.

To that end, I have created user accounts with the requisite permissions and am working on adding those credentials to the environment of symbols/tecken instances.
Temporarily, the prod user account does not have permission to s3:DeleteObject.

This bug covers finalizing that work and switching symbols/tecken in cloudops stage/prod to fully use the mozilla-webeng symbols buckets.

Comment 1

[Peter Bengtsson [:peterbe]]

Sorry if this is distracting/hijacking the bug at hand but one thing that occurred to me is that Tecken actually never deletes any symbols. In the past (i.e. last many years) the only few rare times we've had to delete symbols it's be done manually using AWS console. 

There is 1 exception however, in the bucket's root we create a "directory" called "inbox". Therein, we need the ability to do DeleteObject. 

Perhaps it's overkill. Perhaps it's smart footgun prevention, but should we disallow the DeleteObject permission for all other places in the bucket. In particular ALL symbols are always stored in a folder called "v1".

Comment 2

[Miles Crabill [:miles]]

Agreed, that would be good as a condition to the s3:DeleteObjects permission. I'm creating a new bug for that. (bug 1395271)

Updates on this bug, we've successfully tested symbol upload and download in stage using the webeng symbols buckets.

Comment 3

[Miles Crabill [:miles]]

This is complete and working in both stage and prod.