PLFM-8554: Configure IAM User to access S3 #3
Conversation
| @@ -40,6 +40,7 @@ | |||
| "OwnerEmail": "[email protected]" | |||
| }, | |||
| "STACK_NAME_PREFIX": "registry-dev", | |||
| "BUCKET_NAME": "dev-docker-registry.sagebase.org", | |||
There was a problem hiding this comment.
bucket names are unique in a region. To ensure a bucket name is unique i would not set this param and let AWS create a unique bucket name. If you insist on naming the bucket then I would add add the AWS account ID somewhere to the name.
There was a problem hiding this comment.
bucket names are unique in a region.
In fact bucket names are unique across all standard regions, not just within a region. From the doc's
Amazon S3 supports global buckets, which means that each bucket name must be unique across all AWS accounts in all the AWS Regions within a partition. A partition is a grouping of Regions. AWS currently has three partitions: aws (Standard Regions), aws-cn (China Regions), and aws-us-gov (AWS GovCloud (US)).
I like the idea of letting CloudFormation create a unique name for a bucket however the Docker registry already has a bucket containing production data, and this deployment will have to link to that existing bucket, so CF can't choose the bucket name.
There was a problem hiding this comment.
ahh ok, i thought this was creating the buckets.
| @@ -40,6 +40,7 @@ | |||
| "OwnerEmail": "[email protected]" | |||
| }, | |||
| "STACK_NAME_PREFIX": "registry-dev", | |||
| "BUCKET_NAME": "dev-docker-registry.sagebase.org", | |||
There was a problem hiding this comment.
ahh ok, i thought this was creating the buckets.
The Docker Registry will not use the IAM Role provided by ECS. It will only use an IAM key pair. So we modify the stack to add an IAM user having access to the bucket and inject its key pair into the container as environment variables.