test-infra icon indicating copy to clipboard operation
test-infra copied to clipboard
verified publisher icon pytorch

AWS trust policy limit of 2048 chars

Open huydhn opened this issue 1 year ago • 1 comments

I learn today that AWS limits the trust policy in a OIDC role to 2048 chars https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#autoapproved, and we are going to hit that limit sooner or later in Nova upload binaries https://github.com/pytorch/test-infra/blob/main/.github/workflows/_binary_upload.yml#L82

In the current setup, a new repo onboarding to Nova will need to be added explicitly into the trust policy, i.e. D64996473, and the list will continue to grow over time. The limit can be raised to 4096 chars, but it's not a long term solution. So, we need to explore better alternatives:

  • Grant the permission to all PyTorch repos by default, i.e. repo:pytorch/*:environment:pytorchbot-env (is this a valid syntax?)
  • Split the role into multiple smaller ones, i.e. arn:aws:iam::749337293305:role/gha_workflow_nightly_build_wheels_000, arn:aws:iam::749337293305:role/gha_workflow_nightly_build_wheels_001, and try them out one by one in the workflow
  • Ask AWS for a really high limit that we are sure we are not going to hit it ever

cc @atalman @malfet @seemethere @ZainRizvi

huydhn avatar Oct 25 '24 22:10 huydhn

Not sure if this is still a high priority item, so I will put it back to cold storage

huydhn avatar Jan 21 '25 21:01 huydhn