Only when bug 1375197 is resolved fixed, we should open up the worker type definitions by changing the following API point to require no scopes: https://docs.taskcluster.net/reference/integrations/aws-provisioner/references/api#workerType

Worth mentioning is that even though we currently allow a list of scopes in the worker type definition, these scopes actually have no purpose and aren't part of any credentials issued by the provisioner.

(In reply to John Ford [:jhford] CET/CEST Berlin Time from comment #1) > Worth mentioning is that even though we currently allow a list of scopes in > the worker type definition, these scopes actually have no purpose and aren't > part of any credentials issued by the provisioner. Thanks John. This bug is more about removing the required scope aws-provisioner:view-worker-type:<workerType> from the workerType API endpoint (i.e. requiring no auth when hitting https://aws-provisioner.taskcluster.net/v1/worker-type/<workerType>). I think the issue about the scopes property of the worker type definition no longer being used/required is tracked in bug 1375228.

Found in triage. Pete: you were going to do something with this batch of bugs, IIRC.

We are working to move our provisioning to the new worker manager design. This design does not have any provisioner secrets in it and will not have worker types protected by scopes. I'm marking this P5 because it's low priority to fix in the Aws-Provisioner codebase and dependent on a much larger project of removing provisioner secrets.