Per-Entity Metadata Working Group

[Christopher Hubing <>]

On Thu, 13 Oct 2016, Tom Scavo wrote:

> > that would push these signed entity descriptors out. Right now, this just
> > grabs the aggregate from
> > http://md.incommon.org/InCommon/InCommon-metadata.xml and pushes it into
> > DynamoDB.
>
> Right, let me explain a bit more. The MDQ server doesn't do anything
> except serve static files according to the spec (which is pretty much
> what Scott was saying). Ops will sign the metadata on current
> infrastructure and push the signed files to the MDQ server. In your
> case, it seems the files need to be pushed directly into DynamoDB. Can
> that be done remotely?

Yep, that can be done in a couple different ways depending on how best it 
would integrate with the new process. But, easily doable I think.

And, an IAM policy could be created for that process that would only 
allow it to modify that specific table.

e.g.:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:GetItem",
                "dynamodb:DeleteItem"
            ],
            "Effect": "Allow",
            "Resource":
                "arn:aws:dynamodb:us-east-1::table/mdq"
        }
    ]
}



> Tom