Closed
Bug 1402371
Opened 8 years ago
Closed 7 years ago
AWS IAM User for CloudWatch alarm creation
Categories
(Release Engineering :: General, enhancement)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sfraser, Assigned: jlund)
References
Details
In order to programmatically create alarms for our instances, we need an IAM user in AWS with access and secret keys, which has the permission:
cloudwatch:PutMetricAlarm
There may be other permissions added later for extracting CloudWatch metric data into nagios[1] but we should be fine with that permission for now.
If the access&secret keys are put directly into Releng puppet's secret key store, that's fine with me, just tell me their names in there so I can update Puppet.
[1] cloudwatch:GetMetricData cloudwatch:GetMetricStatistics cloudwatch:ListMetrics
|
Reporter | |
Comment 1•8 years ago
|
||
A further thought - if it has the equivalent delete permission for alarms, it can remove them once an instance is shut down (assuming it's shut down cleanly)
|
|
Assignee | |
Comment 2•7 years ago
|
||
I can create the IAM user with that permission and then have Danut from buildduty add it into hiera.
Simon, do you still need this?
Flags: needinfo?(sfraser)
|
|
Reporter | |
Comment 3•7 years ago
|
||
It's (obviously) not urgent, but I think in the longer term it would be a useful thing to have. I think it's a good step to have AWS alarms automatically appear when the instance is provisioned, rather than having to manually add them.
Flags: needinfo?(sfraser)
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → jlund
|
|
Assignee | |
Comment 4•7 years ago
|
||
@simon - I created a user watchWatcher (because releng are terrible at naming). The policy attached to this user includes what was requested plus some more "read" permissions. Let me know what you think Simon:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:DescribeAlarms"
],
"Sid": "00000000000000",
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
@danut - I've emailed you the access key and id to you for this service based user. Next steps is to put it into our puppet accessed secret store via hiera. Let's discuss how to do that by going over the doc: https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Secrets
|
|
Reporter | |
Comment 5•7 years ago
|
||
I'd missed your reply, sorry. I'll get to adding things when I'm back from pto.
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(sfraser)
|
|
||
Comment 6•7 years ago
|
||
Hey Simon,
Sorry for the delay, I have added the AWS Access Key ID and Secret Access key to Hiera (Puppet Secrets)
You can access them via the following string names:
cloudwatcher_access_key_id
cloudwatcher_secret_access_key
Please ping us in #buildduty channel (we are 24/7) if you have any issues with the 2 secrets.
Or NI? Jordan if you need more permissions.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Component: General Automation → General
|
|
Reporter | |
Updated•6 years ago
|
Flags: needinfo?(sfraser)
You need to log in
before you can comment on or make changes to this bug.
Description
•