Narrow down AWS permissions needed for lambda executor

[yuvipanda]

Hello! Love the project, and am looking forward to playing with this more :)

I'm thinking about how to best integrate lithops (and cubed via that) into a working JupyterHub. We can attach AWS policies to JupyterHubs, and provide additional policy there. I like that we already have a policy generated in https://lithops-cloud.github.io/docs/source/compute_config/aws_lambda.html!

However, I see it has pretty broad permissions. In particular, the ec2:* one feels like a lot! Especially when we are granting users on a JupyterHub access, as the same identity is shared by all users.

I'd love for all those * permissions to be more narrowly scoped. And if those can be presented by the project itself, that's helpful because there's a single source of truth for those permissions.

Thank you for the wonderful project!

[JosepSampe]

Hi @yuvipanda, If you don’t need to access EC2, you can safely remove the ec2:* entry. We initially created this generic policy to support all AWS backends, but as you mentioned, if EC2 access from Lambda isn’t required in your case, it’s fine to exclude it.

I'll be updating the policy for each AWS backend to define more specific permissions. Thanks for reporting this!

[yuvipanda]

Aaah that makes sense, @JosepSampe!

If I was primarily interested in using this with cubed, I supposed it would be up to cubed to provide an IAM policy for specific executors (like lithops+lambda) because cubed may be using different aspects? And lithops is generic enough that such a thing would not belong here? Or would it be up to lithops to provide different IAM policies per backend?

[JosepSampe]

Since Cubed uses specific features or services, it makes sense for Cubed itself to provide the IAM policies tailored for its executors (like Lithops + Lambda) to cover those needs. Lithops could offer some baseline or example IAM policies for common backends, but ultimately the responsibility for the exact permissions needed per executor would lie with the project using Lithops (like Cubed).