Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2017-05-01

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
01:49 ilbot3 joined #confidant
01:49 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant | Channel logs at http://irclog.perlgeek.de/confidant/ | No one around? We check channel history and will respond later. Check the channel logs or gitter.
19:19 anathema_ joined #confidant
19:22 anathema_ @Ryan_Lane, the IAM policy I pulled straight off of git under the 'configuration' tab. Didn't realize you guys responded day of.. I'm still running into some issues, I think I resolved the policy by making it a little more liberal to Dynamo, but now I'm having issues where the IAM role cannot describe the confidant table I specified in the Environment variables in ECS.
19:23 anathema_ Throwing the error
19:23 anathema_ VerboseClientError: An error occurred (AccessDeniedException) on request (EAV07QFM63QH61DLI074KM87LNVV4KQNSO5AEMVJF66Q9ASUAAJG) on table (confidant-production-1) when calling the DescribeTable operation: [2017-05-01 18:40:00 +0000] [16] [INFO] Worker exiting (pid: 16) [2017-05-01 18:40:00 +0000] [1] [INFO] Shutting down: Master [2017-05-01 18:40:00 +0000] [1] [INFO] Reason: Worker failed to boot
19:24 anathema_ On startup, but when using the IAM Policy Simulator, it's able to do everything when specifying that ARN.. Is the table supposed to be called out by 'table name' or do I have to specify by ARN resource?
20:48 Ryan_Lane anathema_: howdy
20:49 Ryan_Lane I think you need to specify the arn
20:50 Ryan_Lane is the ARN in your statement: arn:aws:dynamodb:*:*:table/confidant-production
20:50 Ryan_Lane ?
20:50 Ryan_Lane if so, it looks like your table is arn:aws:dynamodb:*:*:table/confidant-production-1
20:50 Ryan_Lane you need both confidant-production-1 and confidant-production-1/*
21:17 anathema_ Let me edit that, and I'll get back to you.
21:23 anathema_ Ryan_Lane: I added it, and I'm re-running my ECS task to see if decides to play nice.
21:26 anathema_ After updating the policy, and adding it to the IAM role.. Seems that there's no dice.
21:27 anathema_ Still throwing the same error while trying to load the container VerboseClientError: An error occurred (AccessDeniedException) on request (82DV4R00ESLK5K7P4B9BFGOINBVV4KQNSO5AEMVJF66Q9ASUAAJG) on table (confidant-production-1) when calling the DescribeTable operation:
21:31 Ryan_Lane anathema_: can you show me the json policy in a gist?
21:31 anathema_ Sure.
21:33 anathema_ https://pastebin.com/ifYY6b1Y
21:34 Ryan_Lane let me check my own policies. maybe the *s aren't correct
21:34 Ryan_Lane one sec
21:36 anathema_ Would it be best to just paste the full ARN in there?
21:36 Ryan_Lane hm. that looks right
21:36 anathema_ I know on the deny statement it's missing the -1
21:36 anathema_ at the end.
21:36 Ryan_Lane yeah. I'd try that
21:36 Ryan_Lane you sure the ECS container has the iam role attached?
21:36 anathema_ Yeah.
21:36 anathema_ I set the role to the iam role
21:36 anathema_ i can doublecheck
21:37 Ryan_Lane I haven't tried this with ECS yet :)
21:37 anathema_ Oh it's incredibly painful.
21:37 anathema_ Especially when you're leveraging interesting container orchestration software.
21:41 Ryan_Lane anathema_: the policy I have for my own confidant has the * in it
21:41 anathema_ Yeah, I noticed it won't validate the other way..
21:42 Ryan_Lane my policy looks exactly like the one in the docs
21:42 anathema_ Yeah..
21:43 anathema_ Can you show me a sample configuration of your env variables that you have set for the docker instance?
21:43 anathema_ I was using the base configuration.. That you guys have posted there.
21:43 Ryan_Lane I don't use a docker instance in prod
21:44 Ryan_Lane oh... you know. I wonder if describetable can be used without it being global
21:44 anathema_ ?
21:44 Ryan_Lane we don't have confidant auto-create the table in production
21:44 anathema_ How do you mean..
21:44 Ryan_Lane Like Resource: "*"
21:44 anathema_ Oh..
21:45 Ryan_Lane for the DescribeTable action
21:45 anathema_ So what's the fix?
21:45 Ryan_Lane one sec
21:45 anathema_ Np.
21:50 Ryan_Lane hm. it should work with the specific resource
21:50 anathema_ I tried wouldn't validate.
21:50 anathema_ sec.
21:50 anathema_ let me try it again.
21:52 anathema_ https://pastebin.com/EEqF5iGc
21:55 anathema_ Alright.
21:55 anathema_ I got it, I must of done some weird pasting earlier.
21:55 anathema_ Ok, let me re-update the tasks and set it to run once.
21:58 anathema_ Still complaining..
22:00 anathema_ VerboseClientError: An error occurred (AccessDeniedException) on request (BFJ87493NR1CS64PERSPUQ0LHNVV4KQNSO5AEMVJF66Q9ASUAAJG) on table (confidant-production-1) when calling the DescribeTable operation: [2017-05-01 21:57:29 +0000] [13] [INFO] Worker exiting (pid: 13) [2017-05-01 21:57:29 +0000] [1] [INFO] Shutting down: Master [2017-05-01 21:57:29 +0000] [1] [INFO] Reason: Worker failed to boot.
22:13 anathema_ I mean, Idk what else is left to be honest. ECS should be able to recognize the permissions of the IAM policy I have in place for it, the tasks run they get up to the part where it's a necessity to describe the table. I was troubleshooting with Amazon earlier today about this and to no-avail there wasn't anything super significant that came out of it.. I'm just extremely confused of why it's not picking up the permissions to des
22:13 anathema_ Are there additional params in the initial configuration that I can specify?
22:14 anathema_ Well at least in the env variables.. That I'm missing that we could use as a work-around?
22:59 Ryan_Lane well, you can create the dynamo table yourself and tell confidant to not try to create the table
22:59 Ryan_Lane but, it needs to read and write to the table and if describe isn't working, then read/write won't either

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary