AWS Credentials for integration tests
Shereef opened this issue · comments
This is an issue to discuss having AWS Creds in the github repo.
For feature requests or changes:
Current behavior (if any)
Integration tests fail https://github.com/fernando-mc/serverless-finch/runs/5343253800?check_suite_focus=true
Proposed behavior
Added AWS Credentials to be able to run integration tests successfully
Proposed implementation details (optional)
- @fernando-mc is hardening the credentials down so they can only perform the minimal actions needed to run the integration tests
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllAccessToFinchTest",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::serverless-finch-test-*"
},
{
"Sid": "RequiredByServerless",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
- Add new Policy to AWS
- Add a new user to IAM with only programatic access and note the Key ID and Key Secret
- Assign the new policy to the IAM User
- Added the keys to this page and add them
Justification
Testing incoming changes
@fernando-mc I have done some research on your behalf and included the steps above
I don't like that you need to have s3:ListAllMyBuckets on there but serverless tries to list all buckets and if it doesn't have the permission it doesn't try to bypass the error so it must be added
But I think we will be fine because even though we can list all buckets
Shmac:serverless-finch shereef.marzouk$ aws s3 mb s3://serverless-finch-test-1
make_bucket: serverless-finch-test-1
Shmac:serverless-finch shereef.marzouk$ aws s3 ls s3://test-wh
An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist
# The above is a real bucket i listed with ls before but when i try to ls it will not allow me
Shmac:serverless-finch shereef.marzouk$ aws s3 ls s3://serverless-finch-test-1
# it allows ls to the correctly named buckets it cannot list contents of the buckets nor that it can modify those buckets
Shmac:serverless-finch shereef.marzouk$ aws s3 rb s3://serverless-finch-test-1
remove_bucket: serverless-finch-test-1
Shmac:serverless-finch shereef.marzouk$ aws s3 mb s3://serverless-finch-teq
make_bucket failed: s3://serverless-finch-teq An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied
@Shereef @mikejpeters should be done now give it a shot.
Though @Shereef will this work for @mikejpeters's PR? I thought we were making buckets of the account ID?
The * makes it work "Resource": "arn:aws:s3:::serverless-finch-test-*" I will test it
Works for me, I thought the start of bucket resources was the account ID didn't realize we prefixed with serverless-finch-test but makes sense to me! Integration tests seem to be running well @mikejpeters.
Feel free to merge whenever two maintainers approve. You should have credentials needed to make a release. Please make sure to update docs before that and make sure that this is a new major version for the release to help avoid any issues for folks relying on this and wanting to avoid potential breaking changes we might make supporting framework v3.
This works and works well thanks @fernando-mc I have merged #144 after tests and integration tests passed
I counted my approval and @mikejpeters as the 1 approvals for each other change on the PR
next step is the release of the next version
as per your email
- You have sign-off from at least one of the other maintainers/collaborators before merging a PR
- You have sign-off from me or two other maintainers for cutting any new releases
so we need your approval or me and Mike's to release
You're good on this release. Just sync with @mikejpeters at some point to figure out who is writing release notes/doc updates. As long as you don't introduce anything else major consider it a sign off from me @Shereef! I'm out for several hours now but will be back on tonight if you need anything.