Closed Bug 1425703 Opened 8 years ago Closed 8 years ago

Give gps access to generate and test AMIs for docker-worker

Categories

(Taskcluster :: General, enhancement)

Product:
Taskcluster
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: wcosta)

Details

I (gps) want to hack on docker-worker to realize various performance wins and developer ergonomics improvements. Experience from the past few weeks shows that the current process of having to proxy AMI testing through someone on the TC team is annoying and time-consuming to the TC team. I spoke with Dustin about things and he thinks it is OK for me to get permissions so I can test things with minimal involvement from TC personnel. The access I need is as follows: * Access to secrets so I can generate the "base" docker-worker AMI * Access to TC AWS account so I can upload generated APIs to it * Any other access needed to test produced AMIs Just so we're explicit, my intent is to have the ability to produce ad-hoc AMIs and plug them into testing worker types to evaluate them. I don't plan on bulk updating AMIs used by workers. Although if I have that power, I may eventually use it. But if I do, I'll be sure to run things by TC personnel first. needinfo dustin to weigh in and triage.
Flags: needinfo?(dustin)
Wander, if limited to just testing AMIs, is this something we can set up? Then there's no need for CoT keys, etc. I think this would involve: - scopes for secrets (which secrets?) - scopes to modify workerTypes - an AWS account user
Flags: needinfo?(dustin) → needinfo?(wcosta)
(In reply to Dustin J. Mitchell [:dustin] from comment #1) > Wander, if limited to just testing AMIs, is this something we can set up? > Then there's no need for CoT keys, etc. I think this would involve: > > - scopes for secrets (which secrets?) When we generate the testing docker images locally, the scripts pull pulse and tc credentials from secrets service. I think this is what gps is talking about. > - scopes to modify workerTypes > - an AWS account user I will set up permissions and AWS user for gps.
Flags: needinfo?(wcosta)
Assignee: nobody → wcosta
Status: NEW → ASSIGNED
scopes have been added. dustin is taking care of AWS and secrets repo.
Can this be closed?
Flags: needinfo?(gps)
Yes and no. I definitely have enough access to unblock most work. However, the scopes required to run *all* the tests doesn't match what's defined in docker-worker and the required scopes don't match what is granted to me. I was actually using a temporary access key under jonas's account to test things a few months ago :/ I would like to see the scope grants worked out to facilitate testing. But if you want to close this, I understand.
Flags: needinfo?(gps)
(In reply to Gregory Szorc [:gps] from comment #5) > Yes and no. > > I definitely have enough access to unblock most work. However, the scopes > required to run *all* the tests doesn't match what's defined in > docker-worker and the required scopes don't match what is granted to me. I > was actually using a temporary access key under jonas's account to test > things a few months ago :/ > > I would like to see the scope grants worked out to facilitate testing. > > But if you want to close this, I understand. Could you please list the scopes you need?
Flags: needinfo?(gps)
I can't remember. I just know that if you follow the instructions in the README and elsewhere that a few tests fail due to missing scopes. If you want me to burn a few hours to figure this out, needinfo me again. But I can't promise when I'll have time to hack on docker-worker. I'm pretty heads down with other projects right now.
Flags: needinfo?(gps)
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
(In reply to Gregory Szorc [:gps] from comment #7) > I can't remember. I just know that if you follow the instructions in the > README and elsewhere that a few tests fail due to missing scopes. If you > want me to burn a few hours to figure this out, needinfo me again. But I > can't promise when I'll have time to hack on docker-worker. I'm pretty heads > down with other projects right now. Well, when you have a problem with that again, ping me on IRC.
You need to log in before you can comment on or make changes to this bug.