Allow hatchery to assume configured image reader role

uc-cdis · Feb 27, 2024 · d76e341 · d76e341
1 parent c5c5486
commit d76e341
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/gen3/bin/kube-setup-hatchery.sh b/gen3/bin/kube-setup-hatchery.sh
@@ -27,15 +27,35 @@ then
     gen3 job cron distribute-licenses '* * * * *'
 fi
 
+# if `nextflow-global.imagebuilder-reader-role-arn` is set in hatchery config, allow hatchery
+# to assume the configured role
+imagebuilderRoleArn=$(g3kubectl get configmap manifest-hatchery -o jsonpath={.data.nextflow-global} | jq '."imagebuilder-reader-role-arn"')
+assumeImageBuilderRolePolicyBlock=""
+if [ -z "$imagebuilderRoleArn" ]; then
+    gen3_log_err "Info: No 'nexftlow-global.imagebuilder-reader-role-arn' configuration in Hatchery configuration, not granting AssumeRole"
+else
+    assumeImageBuilderRolePolicyBlock="""{
+        "Sid": "AssumeImageBuilderReaderRole",
+        "Effect": "Allow",
+        "Action": [
+            "sts:AssumeRole"
+        ],
+        "Resource": "$imagebuilderRoleArn"
+    },
+    """
+fi
+
 policy=$( cat <<EOM
 {
     "Version": "2012-10-17",
     "Statement": [
         {
+            "Sid": "AssumeCsocAdminRole",
             "Effect": "Allow",
             "Action": "sts:AssumeRole",
             "Resource": "arn:aws:iam::*:role/csoc_adminvm*"
         },
+        $assumeImageBuilderRolePolicyBlock
         {
             "Effect": "Allow",
             "Action": "ec2:*",