Skip to content

feat(iam): Wave 3 PR2 add reference/price_cache/* to executor role grant#197

Merged
cipher813 merged 1 commit into
mainfrom
feat/wave3-pr2-iam-reference-price-cache
May 19, 2026
Merged

feat(iam): Wave 3 PR2 add reference/price_cache/* to executor role grant#197
cipher813 merged 1 commit into
mainfrom
feat/wave3-pr2-iam-reference-price-cache

Conversation

@cipher813
Copy link
Copy Markdown
Owner

@cipher813 cipher813 commented May 19, 2026
edited
Loading

ROADMAP P1 "predictor/ S3 namespace rationalization Wave 3" — companion to the producer write-both shipped in alpha-engine-data PR #270. Adds reference/price_cache/* to the existing ReadWritePredictorData statement on the executor role's alpha-engine-s3-access inline policy.

What this does

Single ARN addition — keeps the namespace presence codified on the executor role during the write-both soak so any code path still reaching this scoped grant (vestigial or future) can hit both prefixes without AccessDenied.

                 "arn:aws:s3:::alpha-engine-research/predictor/weights/*",
                 "arn:aws:s3:::alpha-engine-research/predictor/predictions/*",
                 "arn:aws:s3:::alpha-engine-research/predictor/price_cache/*",
                 "arn:aws:s3:::alpha-engine-research/predictor/price_cache_slim/*",
-                "arn:aws:s3:::alpha-engine-research/predictor/metrics/*"
+                "arn:aws:s3:::alpha-engine-research/predictor/metrics/*",
+                "arn:aws:s3:::alpha-engine-research/reference/price_cache/*"

Why this is the only IAM file touched

Cross-repo grep confirmed only the alpha-engine executor role has a scoped grant on predictor/price_cache/*. Predictor + research roles use full-bucket grants (arn:aws:s3:::alpha-engine-research/*) so they don't need editing. The executor role itself hasn't read price_cache directly since the 2026-04-17 ArcticDB migration (alpha-engine #60), so this grant is vestigial — but until PR4 retires both legacy prefixes end-to-end, the additive scope keeps the namespace codified.

⚠️ Deploy step runs PRE-merge, not post-merge

The IAM Drift Check CI job fails on the first push because it compares codified vs live AWS. This PR makes codified ≠ live until apply.sh runs against AWS — same pattern Wave 1 #120 used. Run before merging:

bash infrastructure/iam/apply.sh --role alpha-engine-executor-role --policy alpha-engine-s3-access

Then re-run the failed IAM Drift Check job from the Actions UI (or push a no-op commit). Drift will resolve, CI will pass, merge.

Wave 3 sequencing

PR Repo Status
PR1 — producer write-both alpha-engine-data #270 Open
PR2 — IAM ARN add alpha-engine (this) Open — apply.sh PRE-merge
PR3+ — reader migrations (4 repos) post-≥1wk soak Pending
PR4 — cutover (drop legacy, aws s3 rm) post-PR3 Pending

🤖 Generated with Claude Code

@cipher813 @claude
feat(iam): Wave 3 PR2 add reference/price_cache/* to executor role grant
30abee9 
ROADMAP P1 "predictor/ S3 namespace rationalization Wave 3" — companion to
the producer write-both shipped in alpha-engine-data PR #270. Adds
`reference/price_cache/*` to the existing ReadWritePredictorData statement
on alpha-engine-executor-role's alpha-engine-s3-access inline policy so any
code path reaching this scoped grant during the write-both soak can read
the new prefix without an AccessDenied.

Mirrors the shape of Wave 1 PR #120 (executor IAM cleanup) but additive,
not subtractive — Wave 4 cutover (after >=1 week clean soak) will be the
inverse PR that drops both `predictor/price_cache/*` and
`predictor/price_cache_slim/*` (also dead post-Wave-4 slim deletion arc)
in one consolidated cleanup.

## Why only this one IAM file

Confirmed via cross-repo grep — only the alpha-engine executor role has a
scoped grant on `predictor/price_cache/*`. All other repos that read this
prefix (alpha-engine-predictor, alpha-engine-research, the alpha-engine-data
spot instance role) use full-bucket grants (`alpha-engine-research/*`) so
they need no change. The executor role itself has not READ price_cache
directly since the 2026-04-17 ArcticDB migration (PR alpha-engine #60), so
this grant is vestigial — but until PR4 retires both legacy prefixes
end-to-end, the additive scope keeps the namespace presence codified.

## Post-merge deploy step

  bash infrastructure/iam/apply.sh --role alpha-engine-executor-role \
                                   --policy alpha-engine-s3-access

(Mirrors Wave 1 #120's operator step. apply.sh runs `aws iam put-role-policy`
to push the updated inline policy live; no code redeploy required.)

Composes with: alpha-engine-data PR #270 (Wave 3 PR1 producer write-both),
Wave 1 #120 (template), and the in-flight Wave 4 slim-deletion IAM cleanup
that this will roll into at cutover.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cipher813 cipher813 merged commit 9c65561 into main May 19, 2026
5 of 7 checks passed
@cipher813 cipher813 deleted the feat/wave3-pr2-iam-reference-price-cache branch May 19, 2026 22:18
@cipher813 cipher813 mentioned this pull request May 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cipher813