-
Notifications
You must be signed in to change notification settings - Fork 84
Grant a workflow write permission to DynamoDB
Huy Do edited this page Nov 19, 2024
·
1 revision
This short wiki explains the step to grant a workflow the write permission to DynamoDB. A common use case is to update or delete records on a DynamoDB table. The changes are then replicated to the corresponding ClickHouse table for querying. Note that if the data is immutable (insert only), S3 is preferred and you should look at https://github.com/pytorch/test-infra/wiki/Grant-a-workflow-permission-to-upload-files-to-S3 instead.
If you have done it yet, please take a look at https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services to get an understanding on how OIDC works on GitHub workflows.
- Submit a PR to create a new DynamoDB table at https://github.com/pytorch-labs/pytorch-gha-infra/blob/main/runners/dynamo.tf, remember to enable streaming by setting
stream_enabledto true. This the mechanism used by DynamoDB replicator lambda to replicate changes to CH. - Submit a PR to create a new OIDC role with the permission to write to the table, i.e. https://github.com/pytorch-labs/pytorch-gha-infra/pull/422.
- Use the new role in your workflow, i.e. https://github.com/pytorch/pytorch/pull/129544, and start writing into DynamoDB.