Limit Coiled’s Access to AWS Resources¶
This article aims to provide you with some guidance on how to limit our access to your AWS resources and handle permissions in different phases of your pipeline.
Giving access¶
When you set up Coiled to use your AWS account, data is run within your VPC (see Resources). If you want to limit Coiled’s access to your AWS resources even further, you can do this with users and roles.
Tip
Most of the resources that Coiled creates will contain the tag owner: coiled
to allow you to identify what we created. See Tracking AWS resources.
By creating a user within your AWS account, you can give access to only those resources that you are comfortable sharing. Then you can create different roles that have a more restricted set of permissions.
Note
If you have an AWS Organization, you might need to follow the AWS documentation on creating an account in your organization.
Example: S3 restrictions¶
Let’s assume that you have created a coiled user in your AWS account. This
user has read permissions to an S3 bucket that you own, but you created a role
that doesn’t allow access to the bucket.
import coiled
import dask.dataframe as dd
from dask.distributed import Client
cluster = coiled.Cluster()
client = Client(cluster)
df = dd.read_csv("s3://your-s3-url-here")
If you switch to the role that doesn’t allow access to S3, the code above will fail with a permissions error.