I want to push a strict snap called ekstest (currently under naming review). That snap can be used to test AWS EKS clusters. The snap needs to have access to some AWS related configuration files because the snap uses tools like aws-cli and eksctl which require access to file in ~/.aws.
The plugs look like this (similar to the plugs defined in eg the awspub snap (see Personal-files request for awspub for the request there):
The snap also needs access the ssh public keys (through the ssh-public-keys interface) to push the key to AWS (to be able to later access the instances)
Given that snap is using aws-cli and eksctl, +1 from me for auto-connect of these personal-files plugs pending publisher vetting. Similarly to this comment from the topic linked, the snap should also clarify in the description that it is a canonical snap and point out the description of the config (like you did with aws-cli docs.
Similarly, +1 for auto-connecting ssh-public-keys as this makes sense for the purpose of the snap. Again, it should be explained how ekstest is configured in regards to ssh connections, similar to here. What do other @reviewers think?
Tom is out on vacation for a bit, so I wanted to poke at this and see if there is anything else needed from our side? It looks like we’re just waiting on more +1s
In general we only grant auto-connection of personal-files to snaps that clearly own the directory. In this case, ekstest does not looks like the clear owner of the ./aws directory to me. Thus, I would like to ask how much trouble would it cause on your side to only grant manual-connection rather than auto-connection.
ekstest is as much of an owner of the ~/.aws directory as any of our other aws-specific tools. That directory (or more specifically the files listed in the autoconnect) contain credentials and configuration for the aws api. ekstest like awsmp and awspub are exclusively for interacting with the aws api and have no function without these files
Just to be clear, I don’t agree with the statement that ekstest is the owner of ~/.aws, it just needs access to the aws credentials to bring its expected functionality.
AFAIK, ~/.aws is known to be used by Amazon tools to store aws credentials, so it is hard to argue that a snap not published by Amazon is the owner of the directory. With that in mind and considering the sensitivity of the information (credentials), in the most general scenario I would only vote for manual connection and I would let the user decide whether to connect or not.
However, under certain conditions, we can also grant auto-connection to directories not clearly owned by the snap. Looking a the awsmp and awspub snaps, it should not be surprising that an application with that name and functionally requires access to aws configuration/credentials
For ekstest is it a bit less obvious. However, IF auto-connection is strictly needed I could still vote for considering that:
the snap name includes test keyword and it would probably be ignored by anyone not specifically looking for it.
the snap name includes eks, which should make evident for anyone familiar with AWS ecosystem that access to ~/.awsdirectory is required.
According to the previous reasoning +1 from me for granting auto-connection to the requested personal-files interfaces.
+2 for, 0 against. The publisher is vetted. This is now live.