-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update service role policy to include additional ecs, es and sqs permissions #3423
base: master
Are you sure you want to change the base?
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3423 +/- ##
==========================================
+ Coverage 35.04% 36.24% +1.19%
==========================================
Files 673 683 +10
Lines 29419 29855 +436
Branches 4394 4394
==========================================
+ Hits 10311 10821 +510
+ Misses 17948 17874 -74
Partials 1160 1160
Flags with carried forward coverage won't be shown. Click here to find out more. see 14 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Permission changes look sane, other ones are controversial:
- I don't think we should set
RoleName
. CloudFormation generates the sane one, but deals with possible conflicts. - I don't think we should set tags. Users can set tags for CloudFormation stack by themselves and they will are propagated to the role.
(if these changes come as separate focused PRs, I'd have already approved one related to permission)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, there are many many more permissions that we're missing. For example:
iam:CreatePolicyVersion
s3:GetBucketOwnershipControls
s3:PutBucketOwnershipControls
s3:PutBucketPublicAccessBlock
sns:CreateTopic
sns:DeleteTopic
sns:GetTopicAttributes
sns:SetTopicAttributes
synthetics:*
kms:*
I don't know of a good way to even find out all necessary permissions - I tried updating my stack over and over, and then looking at the error messages. I never figured out the specific permissions for synthetics:*
or kms:*
- and even then, that wasn't enough, and I ended up just adding *:*
.
And finally, once you attach a role to a stack, there does not appear to be a way to remove it, short of deleting the stack.
So I think we should not recommend service roles at all.
This needs more thought and we can pull service roles from the docs until we have a working service role but at the same time we can’t ask for admin permissions as security and devops teams rightfully frown upon that. Maybe we backlog this but a starting place to make this tractable is to parse our own CFT and ask for * for every referenced service except IAM and then scope resources to things tagged “quilt”. |
Description
TODO
build.py
for new docstrings