Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use gh nv-gha-aws CLI extension to generate credentials #392

Merged
merged 6 commits into from
Sep 19, 2024
Merged

Use gh nv-gha-aws CLI extension to generate credentials #392

merged 6 commits into from
Sep 19, 2024

Conversation

trxcllnt
Copy link
Collaborator

  • install nv-gha-aws CLI extension
  • use nv-gha-aws to generate credentials if AWS_ROLE_ARN is set

@trxcllnt trxcllnt requested a review from a team as a code owner September 16, 2024 23:24
@trxcllnt trxcllnt requested review from bdice and removed request for a team September 16, 2024 23:24
ajschmidt8
ajschmidt8 reviewed Sep 17, 2024
View reviewed changes
Copy link
Member

@ajschmidt8 ajschmidt8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice! looking forward to getting this rolled out.

left a few questions/comments.

features/src/utils/opt/devcontainer/bin/creds/s3/gh/generate.sh
. devcontainer-utils-init-github-cli;

# Check whether the user is in one of the allowed GitHub orgs
local allowed_orgs="${AWS_GITHUB_ORGS:-${VAULT_GITHUB_ORGS:-nvidia nv-morpheus nv-legate rapids}}";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to hardcode this list?

The organization allow list is already defined in the AWS role policy. The gh nv-gha-aws tool will throw an error if an organization that is not on this list attempts to get credentials.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list is override-able via envvar, so the orgs here are just defaults. This list is compared against the user's orgs, then only the orgs for which the user is a member are attempted.

features/src/utils/opt/devcontainer/bin/creds/s3/init.sh Outdated Show resolved Hide resolved
features/src/utils/opt/devcontainer/bin/creds/s3/persist.sh Show resolved Hide resolved
features/src/utils/opt/devcontainer/bin/creds/s3/persist.sh Show resolved Hide resolved
features/src/utils/opt/devcontainer/bin/creds/s3/vault/generate.sh
fi

# Check whether the user is in one of the allowed GitHub orgs
local allowed_orgs="${VAULT_GITHUB_ORGS:-nvidia nv-morpheus nv-legate rapids}";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question about hardcoded orgs here.

@trxcllnt trxcllnt merged commit fc6947a into rapidsai:branch-24.10 Sep 19, 2024
236 of 240 checks passed
@trxcllnt trxcllnt deleted the fea/use-nv-gha-aws-extension branch September 19, 2024 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajschmidt8 ajschmidt8 ajschmidt8 left review comments

@bdice bdice Awaiting requested review from bdice bdice is a code owner automatically assigned from rapidsai/packaging-codeowners

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@trxcllnt @ajschmidt8