[Platform] Support instance profiles for default CMK policy #2949
Comments
daniel-yb
added a commit
that referenced
this issue
Nov 22, 2019
Summary: When an instance profile is being used, we should try and retrieve the arn for the role attached to the instance profile instead of an IAM user's arn when creating a default CMK policy. This will allow users using an instance profile to not have to upload a custom CMK policy every time they want to encrypt a universe at rest using AWS KMS. Also update the default CMK policy to use minimum-needed actions. Test Plan: Do not provide a custom CMK policy when encrypting a universe using AWS KMS with the KMS config using instance profile credentials -> everything should work Reviewers: sanketh, ram Reviewed By: ram Subscribers: rao, jenkins-bot, yugaware Differential Revision: https://phabricator.dev.yugabyte.com/D7593
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a CMK policy is not passed in, we are expecting the kms_config to contain IAM user credentials for creating the Yugabyte default CMK policy. We should support the case of instance profile credentials + not passing in a CMK policy such that the encryption at rest service grabs the arn of the role attached to the instance profile when creating the default CMK policy.
The text was updated successfully, but these errors were encountered: