We would like to move our databases to Amazon RDS. Could we get permissions to be able to be able to create, remove and list all RDS instances with some prefix please?
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
We must have missed this one, @dkirwan do you want to take this?
Metadata Update from @dkirwan: - Issue assigned to dkirwan
Hi @mvadkert can you provide a little more information as to the request. How many RDS instances might be required, and how much storage are we talking about here?
You basically want CRUD permissions on an IAM user. You want to manage them yourselves? Do you have an IAM user already in mind for which these permissions can be attached?
Hi @mvadkert can you provide a little more information as to the request. How many RDS instances might be required
2 long running, infrastructure CI will be creating some short terms ones. Currently we work with limit of 20 on load balancers, so I would say 20 tops should be fine.
, and how much storage are we talking about here?
The production has 12GB data, we believe it to grow ~4Gi a year, so we should be fine with 100Gi.
Staging is <1Gi, dev instances the same.
So to clarify (or your comment was cut off?): you want us to add IAM perms to allow to manage RDS instances right? You don't want us to setup or deal with them?
I think thats fine.
Probibly a new policy 'fedora-ci-rds' and attach to the aws-fedora-ci role right?
The more setup we can do ourselves, the better :)
@mvadkert can you give this a go and check now, I've added permissions to access RDS resources in the aws-fedora-ci role.
Hmm so the aws-fedora-ci role has 10 policies currently attached which is a limit apparently.
Getting the following error when I tried to attach a new one 'fedora-ci-rds' "Cannot exceed quota for PoliciesPerRole error".
Hmm reading the AWS docs, I'm also not seeing the correct item to request a quota increase in the available list of things we can request quota increases on. It might be something to do with way the organisation permissions are configured. (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html).
Might be better to re architect how we're implementing these roles in AWS but in the meanwhile I've added these RDS permissions to the 'fedora-ci-ec2' policy instead.
Huh, I didn't know about the default 10 policy limit. ;(
yeah, we may want to consider how to rework things to use less and be more consistent.
Amusingly you can only see these quotas on us-east-1. It confused me because it just doesn't exist anywhere else. ;)
It looks like this is only adjustable at the 'account' level, so we would have to talk to @davdunc about it.
Log in to comment on this ticket.