Merge pull request #2608 from ASFHyP3/edc-s3-read

allow granting multiple principals s3 read access in edc deployments
ASFHyP3 · Feb 20, 2025 · 900d5dd · 900d5dd
2 parents 1413c1a + f28163c
commit 900d5dd
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 15 deletions.
diff --git a/.github/actions/deploy-hyp3/action.yml b/.github/actions/deploy-hyp3/action.yml
@@ -59,8 +59,8 @@ inputs:
   REQUIRED_SURPLUS:
     description: "Amount by which month-to-date budget must exceed month-to-date spending to increase fleet size, in dollars. Ignored when DefaultMaxvCpus = ExpandedMaxvCpus."
     required: true
-  ORIGIN_ACCESS_IDENTITY_ID:
-    description: "ID of the CloudFront Origin Access Identity used to access data in S3 for Earthdata Cloud deployments"
+  BUCKET_READ_PRINCIPALS:
+    description: "List of AWS IAM principals granted read access to data in S3 for Earthdata Cloud deployments"
     required: true
   SECURITY_ENVIRONMENT:
     description: "Modify resources/configurations for ASF (default), EDC, or JPL security environments"
@@ -99,8 +99,8 @@ runs:
           [ -z ${{ inputs.CERTIFICATE_ARN }} ] && export CERTIFICATE_ARN="" \
             || export CERTIFICATE_ARN="CertificateArn=${{ inputs.CERTIFICATE_ARN }}"
 
-          [ -z ${{ inputs.ORIGIN_ACCESS_IDENTITY_ID }} ] && export ORIGIN_ACCESS_IDENTITY_ID="" \
-            || export ORIGIN_ACCESS_IDENTITY_ID="OriginAccessIdentityId=${{ inputs.ORIGIN_ACCESS_IDENTITY_ID }}"
+          [ -z ${{ inputs.BUCKET_READ_PRINCIPALS }} ] && export BUCKET_READ_PRINCIPALS="" \
+            || export BUCKET_READ_PRINCIPALS="BucketReadPrincipals=${{ inputs.BUCKET_READ_PRINCIPALS }}"
 
           [ -z ${{ inputs.DISTRIBUTION_URL }} ] && export DISTRIBUTION_URL="" \
             || export DISTRIBUTION_URL="DistributionUrl=${{ inputs.DISTRIBUTION_URL }}"
@@ -123,7 +123,7 @@ runs:
                 AuthPublicKey='${{ inputs.AUTH_PUBLIC_KEY }}' \
                 $DOMAIN_NAME \
                 $CERTIFICATE_ARN \
-                $ORIGIN_ACCESS_IDENTITY_ID \
+                $BUCKET_READ_PRINCIPALS \
                 $DISTRIBUTION_URL \
                 DefaultCreditsPerUser='${{ inputs.DEFAULT_CREDITS_PER_USER }}' \
                 DefaultApplicationStatus='${{ inputs.DEFAULT_APPLICATION_STATUS }}' \

diff --git a/.github/workflows/deploy-daac.yml b/.github/workflows/deploy-daac.yml
@@ -104,7 +104,7 @@ jobs:
           EXPANDED_MAX_VCPUS: ${{ matrix.expanded_max_vcpus }}
           MONTHLY_BUDGET: ${{ secrets.MONTHLY_BUDGET }}
           REQUIRED_SURPLUS: ${{ matrix.required_surplus }}
-          ORIGIN_ACCESS_IDENTITY_ID: ${{ secrets.ORIGIN_ACCESS_IDENTITY_ID }}
+          BUCKET_READ_PRINCIPALS: ${{ secrets.BUCKET_READ_PRINCIPALS }}
           SECURITY_ENVIRONMENT: ${{ matrix.security_environment }}
           AMI_ID: ${{ matrix.ami_id }}
           INSTANCE_TYPES: ${{ matrix.instance_types }}

diff --git a/.github/workflows/deploy-enterprise-test.yml b/.github/workflows/deploy-enterprise-test.yml
@@ -135,7 +135,7 @@ jobs:
           EXPANDED_MAX_VCPUS: ${{ matrix.expanded_max_vcpus }}
           MONTHLY_BUDGET: ${{ secrets.MONTHLY_BUDGET }}
           REQUIRED_SURPLUS: ${{ matrix.required_surplus }}
-          ORIGIN_ACCESS_IDENTITY_ID: ${{ secrets.ORIGIN_ACCESS_IDENTITY_ID }}
+          BUCKET_READ_PRINCIPALS: ${{ secrets.BUCKET_READ_PRINCIPALS }}
           SECURITY_ENVIRONMENT: ${{ matrix.security_environment }}
           AMI_ID: ${{ matrix.ami_id }}
           INSTANCE_TYPES: ${{ matrix.instance_types }}

diff --git a/.github/workflows/deploy-enterprise.yml b/.github/workflows/deploy-enterprise.yml
@@ -293,7 +293,7 @@ jobs:
           EXPANDED_MAX_VCPUS: ${{ matrix.expanded_max_vcpus }}
           MONTHLY_BUDGET: ${{ secrets.MONTHLY_BUDGET }}
           REQUIRED_SURPLUS: ${{ matrix.required_surplus }}
-          ORIGIN_ACCESS_IDENTITY_ID: ${{ secrets.ORIGIN_ACCESS_IDENTITY_ID }}
+          BUCKET_READ_PRINCIPALS: ${{ secrets.BUCKET_READ_PRINCIPALS }}
           SECURITY_ENVIRONMENT: ${{ matrix.security_environment }}
           AMI_ID: ${{ matrix.ami_id }}
           INSTANCE_TYPES: ${{ matrix.instance_types }}

diff --git a/.github/workflows/deploy-multi-burst-sandbox.yml b/.github/workflows/deploy-multi-burst-sandbox.yml
@@ -72,7 +72,7 @@ jobs:
           EXPANDED_MAX_VCPUS: ${{ matrix.expanded_max_vcpus }}
           MONTHLY_BUDGET: ${{ secrets.MONTHLY_BUDGET }}
           REQUIRED_SURPLUS: ${{ matrix.required_surplus }}
-          ORIGIN_ACCESS_IDENTITY_ID: ${{ secrets.ORIGIN_ACCESS_IDENTITY_ID }}
+          BUCKET_READ_PRINCIPALS: ${{ secrets.BUCKET_READ_PRINCIPALS }}
           SECURITY_ENVIRONMENT: ${{ matrix.security_environment }}
           AMI_ID: ${{ matrix.ami_id }}
           INSTANCE_TYPES: ${{ matrix.instance_types }}

diff --git a/.github/workflows/deploy-opera-disp-sandbox.yml b/.github/workflows/deploy-opera-disp-sandbox.yml
@@ -71,7 +71,7 @@ jobs:
           EXPANDED_MAX_VCPUS: ${{ matrix.expanded_max_vcpus }}
           MONTHLY_BUDGET: ${{ secrets.MONTHLY_BUDGET }}
           REQUIRED_SURPLUS: ${{ matrix.required_surplus }}
-          ORIGIN_ACCESS_IDENTITY_ID: ${{ secrets.ORIGIN_ACCESS_IDENTITY_ID }}
+          BUCKET_READ_PRINCIPALS: ${{ secrets.BUCKET_READ_PRINCIPALS }}
           SECURITY_ENVIRONMENT: ${{ matrix.security_environment }}
           AMI_ID: ${{ matrix.ami_id }}
           INSTANCE_TYPES: ${{ matrix.instance_types }}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - The `AUTORIFT_ITS_LIVE` job type now accepts Sentinel-1 burst products.
+- The `OriginAccessIdentityId` has been renamed to `BucketReadPricipals` and now accepts multiple values.
 
 ## [9.4.0]
 

diff --git a/apps/main-cf.yml.j2 b/apps/main-cf.yml.j2
@@ -94,9 +94,9 @@ Parameters:
     Type: String
 
   {% else %}
-  OriginAccessIdentityId:
-    Description: ID of the CloudFront Origin Access Identity used to access data in S3 for Earthdata Cloud deployments
-    Type: String
+  BucketReadPrincipals:
+    Description: List of AWS IAM principals granted read access to data in S3 for Earthdata Cloud deployments
+    Type: CommaDelimitedList
 
   DistributionUrl:
     Type: String
@@ -304,7 +304,7 @@ Resources:
           - Effect: Allow
             {% if security_environment == 'EDC' %}
             Principal:
-              AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessIdentityId}"
+              AWS: !Ref BucketReadPrincipals
             {% else %}
             Principal: "*"
             {% endif %}
@@ -315,7 +315,7 @@ Resources:
           - Effect: Allow
             {% if security_environment == 'EDC' %}
             Principal:
-              AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessIdentityId}"
+              AWS: !Ref BucketReadPrincipals
             {% else %}
             Principal: "*"
             {% endif %}