Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2016-10-05

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:23 Ryan_Lane heh. I just now noticed the irc conversation. I responded with most of what was said in here :)
00:24 Ryan_Lane this is an IAM issue as a whole. if you attach the same IAM role to different instances, you're effectively treating them with the same security privilege in AWS
00:24 Ryan_Lane and we treat confidant as an extension of AWS
00:25 Ryan_Lane (I responded on the email list, that is)
02:13 lyftbot [russmac] @ryan-lane I actually thought IAM profiles were once immutable... Not sure if it changed or if I thought incorrectly.
02:14 Ryan_Lane Huh. They're mutable now?
02:14 Ryan_Lane I also didn't know that
02:14 lyftbot [russmac] Well, being able to swap out the role
02:14 lyftbot [russmac] I used to think that was not possible.
02:14 lyftbot [russmac] I
02:15 Ryan_Lane I wasn't aware it's possible now :D
02:15 Ryan_Lane That must only be doable through the api eh?
02:15 lyftbot [russmac] It is
02:15 lyftbot [russmac] You have to delete-role , then attach the new one from the profile
02:16 lyftbot [russmac] Sorry attach a new one to the profile.
02:16 Ryan_Lane Interesting. Had no idea you could do that
02:16 Ryan_Lane They used to be immutable as far as I knew
02:16 lyftbot [russmac] I wrote a lot of doc calling them immutable before I found out. The instance uses the new role.
02:16 Ryan_Lane And if you use the console they're totally linked tigerhery
02:17 Ryan_Lane Together*
02:17 Ryan_Lane On a phone :)
02:17 lyftbot [russmac] It shows in the UI for the new role that its instance profile is what it has been put into so to speak
02:17 Ryan_Lane Heh. There's a fun attack vector
02:18 lyftbot [russmac] So you can have an instance with the profile: old-profile
02:18 lyftbot [russmac] Create a Confidant service from a role : new-role
02:18 lyftbot [russmac] then delete old-role from old-profile insert new-role
02:18 Ryan_Lane Yep. That's a good way to handle the posters problem
02:19 lyftbot [russmac] Although every instance with that particular instance profile now also has the new role
02:19 Ryan_Lane Though I'm of the school of thought that you scope roles to individual instances or asgs and everything gets its own
02:19 Ryan_Lane Ah. Gotcha
02:20 lyftbot [russmac] I was sure they were immutable,  Ive been purely AWS for 3 years now and remember it. If its a new feature they've added or I was wrong I'm not sure.
02:20 lyftbot [russmac] I'
02:21 lyftbot [russmac] You can explicitly with policy I'm sure. But it would be a bit painful to attach it to every other policy. Perhaps theirs a "top level" way to apply it.
11:15 DanyC joined #confidant
11:15 DanyC left #confidant
15:58 statik joined #confidant

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary