Listing snapshots when using the AWS EBS CSI Driver returns all snapshots that is available to me, this includes thousands of public snapshots. I want to limit this to just snapshots that were in my account or created by me or created by the driver.
Digging into the driver, I found the listing is implemented using the DescribeSnapshots function. It states the following:
If no options are specified, Amazon EC2 returns all snapshots for which you have create volume permissions.
Reading this, I tried to play around with the CreateVolume IAM role and limiting it to snapshots in my account but this doesn’t seem to be affecting the listing behavior. Currently I am using the AWS managed AmazonEBSCSIDriverPolicy.
This lead me to look at how a “filter“ can be applied to the ListSnapshot call in the CSI driver, it is possible to ask for snapshots for a specific volume, but Nomad doesn’t currently support that.
I have two options:
- I haven’t explored the IAM permissions enough and there is a way for limiting the scope of
DescribeSnapshotson the AWS side - Try to implement the
source_volume_idoption in Nomad’s CSI implementation
I thought I raise this here first before going off and creating an issue on the Nomad repo.