This message was deleted.
# generals
sparse-intern-71089
04/14/2023, 3:56 AMThis message was deleted.
b
brainy-church-78120
04/14/2023, 4:07 AMdoes it work for other aws resources?
f
freezing-greece-82130
04/14/2023, 11:44 AMyup
freezing-greece-82130
04/14/2023, 11:47 AMresolved btw! seems that I didn’t have enough perms with just
PowerUserAccessfreezing-greece-82130
04/14/2023, 11:50 AMit would be nice if operations could list the perms needed in documentation or stack trace 😄
100 rainbow 1
b
brainy-church-78120
04/17/2023, 1:14 AMLee Briggs opened this issue to allow us to expose more information on these types of errors, you can vote on it by emoji reacting on the issue over in github
https://github.com/pulumi/pulumi-aws/issues/2467
🙌 1
f
freezing-greece-82130
04/17/2023, 2:06 PMcool ty!
freezing-greece-82130
04/21/2023, 12:07 AM Copy code
const gitlabInfraCiRole = new aws.iam.Role(`${name}-gitlab-oidc-infra-role`, {
assumeRolePolicy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
Federated: pulumi.interpolate`arn:aws:iam::${getAccountId()}:oidc-provider/${gitlabShortUri}`,
},
Action: 'sts:AssumeRoleWithWebIdentity',
Condition: {
StringLike: {
[conditionKey]: `project_path:${gitlabInfraProjectPath}`,
},
},
},
],
},
managedPolicyArns: [
'arn:aws:iam::aws:policy/AmazonECS_FullAccess',
'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
'arn:aws:iam::aws:policy/AWSOrganizationsFullAccess'
],
description: 'GitLab infra repo role',
});
const gitlabInfraCiPolicy = new aws.iam.RolePolicy(
`${name}-gitlab-oidc-infra-policy`,
{
role: gitlabInfraCiRole,
policy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['ecr:DescribeImages'],
Resource: repo.arn,
},
{
Sid: 'AssumeNewAccountRole',
Effect: 'Allow',
Action: [
'sts:AssumeRole'
],
Resource: [
'arn:aws:iam::290241234068:role/OrganizationalAccountAccessRole'
]
},
{
Sid: 'OrganizationWritePolicies',
Effect: 'Allow',
Action: [
'organizations:CreateOrganizationalUnit',
'organizations:DeleteOrganizationalUnit',
'organizations:UpdateOrganizationalUnit',
'organizations:MoveAccount',
'organizations:CreatePolicy',
'organizations:AttachPolicy',
'organizations:CreateAccount',
'organizations:DeletePolicy',
'organizations:DeleteResourcePolicy',
'organizations:DetachPolicy',
'organizations:UpdatePolicy',
'organizations:CloseAccount',
'organizations:DisablePolicyType',
'organizations:EnablePolicyType'
],
Resource: "*"
},
{
Effect: 'Allow',
Action: [
'secretsmanager:GetSecretValue',
// TODO: consider lowering the permision scope
'ec2:*',
'ecs:*',
// TODO: Expect some missing policies when updateing/deleting resources eg:
'iam:UpdateAssumeRolePolicy',
'iam:DetachRolePolicy',
'acm:RequestCertificate',
'acm:DescribeCertificate',
'acm:ListTagsForCertificate',
'elasticloadbalancing:ModifyListener',
'logs:PutRetentionPolicy',
'logs:ListTagsLogGroup',
'elasticloadbalancing:DescribeTags',
'elasticloadbalancing:DescribeLoadBalancerAttributes',
'elasticloadbalancing:ModifyLoadBalancerAttributes',
'rds:DeleteDBSubnetGroup',
'rds:ModifyDBInstance',
'rds:DescribeDBInstances',
'rds:ListTagsForResource',
'backup:*',
'backup-storage:*',
'organizations:*',
'account:GetAlternateContact',
'account:GetContactInformation',
'account:GetAlternateContact',
'account:GetContactInformation',
'account:PutContactInformation',
'account:ListAccounts',
'account:ListRegions',
'account:EnableRegion',
'account:DisableRegion',
],
Resource: '*',
},
],
},
}
);👀 1
b
brainy-church-78120
04/21/2023, 12:13 AMnot immediately but can take a closer look tomorrow
💡 1
f
freezing-greece-82130
04/21/2023, 9:01 AMthanks!! it’s been driving me a lil nuts haha
5 Views