From 30abee9b3818b24f1ea0964b392e1263a8dbcfad Mon Sep 17 00:00:00 2001 From: Brian McMahon Date: Tue, 19 May 2026 14:50:20 -0700 Subject: [PATCH] feat(iam): Wave 3 PR2 add reference/price_cache/* to executor role grant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ROADMAP P1 "predictor/ S3 namespace rationalization Wave 3" — companion to the producer write-both shipped in alpha-engine-data PR #270. Adds `reference/price_cache/*` to the existing ReadWritePredictorData statement on alpha-engine-executor-role's alpha-engine-s3-access inline policy so any code path reaching this scoped grant during the write-both soak can read the new prefix without an AccessDenied. Mirrors the shape of Wave 1 PR #120 (executor IAM cleanup) but additive, not subtractive — Wave 4 cutover (after >=1 week clean soak) will be the inverse PR that drops both `predictor/price_cache/*` and `predictor/price_cache_slim/*` (also dead post-Wave-4 slim deletion arc) in one consolidated cleanup. ## Why only this one IAM file Confirmed via cross-repo grep — only the alpha-engine executor role has a scoped grant on `predictor/price_cache/*`. All other repos that read this prefix (alpha-engine-predictor, alpha-engine-research, the alpha-engine-data spot instance role) use full-bucket grants (`alpha-engine-research/*`) so they need no change. The executor role itself has not READ price_cache directly since the 2026-04-17 ArcticDB migration (PR alpha-engine #60), so this grant is vestigial — but until PR4 retires both legacy prefixes end-to-end, the additive scope keeps the namespace presence codified. ## Post-merge deploy step bash infrastructure/iam/apply.sh --role alpha-engine-executor-role \ --policy alpha-engine-s3-access (Mirrors Wave 1 #120's operator step. apply.sh runs `aws iam put-role-policy` to push the updated inline policy live; no code redeploy required.) Composes with: alpha-engine-data PR #270 (Wave 3 PR1 producer write-both), Wave 1 #120 (template), and the in-flight Wave 4 slim-deletion IAM cleanup that this will roll into at cutover. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../iam/alpha-engine-executor-role/alpha-engine-s3-access.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/iam/alpha-engine-executor-role/alpha-engine-s3-access.json b/infrastructure/iam/alpha-engine-executor-role/alpha-engine-s3-access.json index cf08c5f..4cba482 100644 --- a/infrastructure/iam/alpha-engine-executor-role/alpha-engine-s3-access.json +++ b/infrastructure/iam/alpha-engine-executor-role/alpha-engine-s3-access.json @@ -43,7 +43,8 @@ "arn:aws:s3:::alpha-engine-research/predictor/predictions/*", "arn:aws:s3:::alpha-engine-research/predictor/price_cache/*", "arn:aws:s3:::alpha-engine-research/predictor/price_cache_slim/*", - "arn:aws:s3:::alpha-engine-research/predictor/metrics/*" + "arn:aws:s3:::alpha-engine-research/predictor/metrics/*", + "arn:aws:s3:::alpha-engine-research/reference/price_cache/*" ] }, {