Skip to content

Delete STS roles regularly #2344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 9, 2025
Merged

Delete STS roles regularly #2344

merged 4 commits into from
May 9, 2025

Conversation

grusev
Copy link
Collaborator

@grusev grusev commented Apr 28, 2025
edited
Loading

Reference Issues/PRs

What does this implement or fix?

Due to limitation of STS roles number we should constantly do cleaning of failed to delete roles. The PR contains a scheduled job that would do that every Sa. The python script can also be executed at any time and will delete only roles created prior of today, leaving all currently running jobs unaffected

As roles cannot be guaranteed to be cleaned after tests execution due to many factors, we should take them out on regular bases, and perhaps this is the quickest and most reliable approach

Any other comments?

Checklist

Checklist for code changes...
  • Have you updated the relevant docstrings, documentation and copyright notice?
  • Is this contribution tested against all ArcticDB's features?
  • Do all exceptions introduced raise appropriate error messages?
  • Are API changes highlighted in the PR description?
  • Is the PR labelled as enhancement or bug so it appears in autogenerated release notes?

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 28, 2025
View reviewed changes
@grusev grusev added the patch Small change, should increase patch version label Apr 28, 2025
phoebusm
phoebusm requested changes Apr 28, 2025
View reviewed changes
python/utils/s3_roles_delete.py
print(f"Role {role} is from today, skipping it.")
else:
print(f"{i} DELETE role {role}. An old role")
delete_role(client, role)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users should be cleaned up as well.
Please refer to def real_s3_sts_clean_up

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed! We had >3000 active users!

@phoebusm
Copy link
Collaborator

I wonder why the roles not being cleaned up by real_s3_sts_clean_up. It's worth checking whether real_s3_sts_clean_up has done the job

poodlewars
poodlewars approved these changes May 9, 2025
View reviewed changes
Copy link
Collaborator

@poodlewars poodlewars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks low risk so approving. Needs Phoebus' approval too.

@grusev grusev merged commit b808afa into master May 9, 2025
137 checks passed
@grusev grusev deleted the delete_sts_roles branch May 9, 2025 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@poodlewars poodlewars poodlewars approved these changes

@phoebusm phoebusm phoebusm approved these changes

@alexowens90 alexowens90 Awaiting requested review from alexowens90 alexowens90 is a code owner

@willdealtry willdealtry Awaiting requested review from willdealtry willdealtry is a code owner

Assignees
No one assigned
Labels
patch Small change, should increase patch version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@grusev @phoebusm @poodlewars