feat: Jupyterhub cognito fine grained access control #380
Conversation
dorukozturk
temporarily deployed
to
DoEKS Test
GitHub Actions
Inactive
dorukozturk
changed the title
There was a problem hiding this comment.
@dorukozturk PR is fantastic and much needed by customers.
Just some minor notes but otherwise looking great.
| } | ||
| } | ||
|
|
||
| resource "aws_lambda_function" "pretoken_trigger" { |
There was a problem hiding this comment.
Create only if cognito is used.
There was a problem hiding this comment.
var.jupyter_hub_auth_mechanism == "cognito" ? 1 : 0 @dorukozturk
| }) | ||
| } | ||
|
|
||
| resource "aws_iam_role_policy" "s3_cognito_engineering_policy" { |
There was a problem hiding this comment.
Create only if cognito is used.
| EOF | ||
| } | ||
|
|
||
| resource "aws_cognito_identity_pool_provider_principal_tag" "example" { |
There was a problem hiding this comment.
Create only if cognito is used.
| } | ||
| } | ||
|
|
||
| resource "aws_iam_policy_attachment" "s3_readonly_policy_attachment" { |
There was a problem hiding this comment.
Create only if cognito is used.
| roles = [aws_iam_role.cognito_authenticated_engineering_role[0].name] | ||
| } | ||
|
|
||
| resource "aws_cognito_identity_pool_roles_attachment" "identity_pool_roles" { |
There was a problem hiding this comment.
Create only if cognito is used.
|
|
||
| cognito_config.py: |- |
There was a problem hiding this comment.
Very cool!!
@lusoal this is similar to what we discussed at KubeCon.
There was a problem hiding this comment.
This is very similar to what we have discussed, congrats on the PR @dorukozturk amazing
dorukozturk
temporarily deployed
to
DoEKS Test
GitHub Actions
Inactive
| } | ||
| } | ||
|
|
||
| resource "aws_lambda_function" "pretoken_trigger" { |
There was a problem hiding this comment.
var.jupyter_hub_auth_mechanism == "cognito" ? 1 : 0 @dorukozturk
|
|
||
| cognito_config.py: |- |
There was a problem hiding this comment.
This is very similar to what we have discussed, congrats on the PR @dorukozturk amazing
|
I added the conditionals ! Thanks for all the kind words and fast reviews :) |
dorukozturk
temporarily deployed
to
DoEKS Test
GitHub Actions
Inactive
|
Fixed the index errors |
What does this PR do?
This PR creates a cognito identity pool, creates an iam role that is tied to the cognito user and injects credentials to the spawner using auth hooks. This way customers can manage all of their users through cognito and assign iam roles to the notebooks themselves for principle of least privilege.
🛑 Please open an issue first to discuss any significant work and flesh out details/direction - we would hate for your time to be wasted.
Consult the CONTRIBUTING guide for submitting pull-requests.
Motivation
More
website/docsorwebsite/blogsection for this featurepre-commit run -awith this PR. Link for installing pre-commit locallyFor Moderators
Additional Notes