This message was deleted.
# general
s
This message was deleted.
b
does it work for other aws resources?
f
yup
resolved btw! seems that I didn’t have enough perms with just
PowerUserAccess
it would be nice if operations could list the perms needed in documentation or stack trace 😄
100 rainbow 1
b
Lee Briggs opened this issue to allow us to expose more information on these types of errors, you can vote on it by emoji reacting on the issue over in github https://github.com/pulumi/pulumi-aws/issues/2467
🙌 1
f
cool ty!
Copy code
const gitlabInfraCiRole = new aws.iam.Role(`${name}-gitlab-oidc-infra-role`, {
  assumeRolePolicy: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Principal: {
          Federated: pulumi.interpolate`arn:aws:iam::${getAccountId()}:oidc-provider/${gitlabShortUri}`,
        },
        Action: 'sts:AssumeRoleWithWebIdentity',
        Condition: {
          StringLike: {
            [conditionKey]: `project_path:${gitlabInfraProjectPath}`,
          },
        },
      },
    ],
  },
  managedPolicyArns: [
    'arn:aws:iam::aws:policy/AmazonECS_FullAccess',
    'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
    'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
    'arn:aws:iam::aws:policy/AWSOrganizationsFullAccess'
  ],
  description: 'GitLab infra repo role',
});

const gitlabInfraCiPolicy = new aws.iam.RolePolicy(
  `${name}-gitlab-oidc-infra-policy`,
  {
    role: gitlabInfraCiRole,
    policy: {
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: ['ecr:DescribeImages'],
          Resource: repo.arn,
        },
        {
          Sid: 'AssumeNewAccountRole',
          Effect: 'Allow',
          Action: [
            'sts:AssumeRole'
          ],
          Resource: [
            'arn:aws:iam::290241234068:role/OrganizationalAccountAccessRole'
          ]
        },
        {
          Sid: 'OrganizationWritePolicies',
          Effect: 'Allow',
          Action: [
            'organizations:CreateOrganizationalUnit',
            'organizations:DeleteOrganizationalUnit',
            'organizations:UpdateOrganizationalUnit',
            'organizations:MoveAccount',
            'organizations:CreatePolicy',
            'organizations:AttachPolicy',
            'organizations:CreateAccount',
            'organizations:DeletePolicy',
            'organizations:DeleteResourcePolicy',
            'organizations:DetachPolicy',
            'organizations:UpdatePolicy',
            'organizations:CloseAccount',
            'organizations:DisablePolicyType',
            'organizations:EnablePolicyType'
          ],
          Resource: "*"
        },
        {
          Effect: 'Allow',
          Action: [
            'secretsmanager:GetSecretValue',
            // TODO: consider lowering the permision scope
            'ec2:*',
            'ecs:*',
            // TODO: Expect some missing policies when updateing/deleting resources eg:
            'iam:UpdateAssumeRolePolicy',
            'iam:DetachRolePolicy',
            'acm:RequestCertificate',
            'acm:DescribeCertificate',
            'acm:ListTagsForCertificate',
            'elasticloadbalancing:ModifyListener',
            'logs:PutRetentionPolicy',
            'logs:ListTagsLogGroup',
            'elasticloadbalancing:DescribeTags',
            'elasticloadbalancing:DescribeLoadBalancerAttributes',
            'elasticloadbalancing:ModifyLoadBalancerAttributes',
            'rds:DeleteDBSubnetGroup',
            'rds:ModifyDBInstance',
            'rds:DescribeDBInstances',
            'rds:ListTagsForResource',
            'backup:*',
            'backup-storage:*',
            'organizations:*',
            'account:GetAlternateContact',
            'account:GetContactInformation',
            'account:GetAlternateContact',
            'account:GetContactInformation',
            'account:PutContactInformation',
            'account:ListAccounts',
            'account:ListRegions',
            'account:EnableRegion',
            'account:DisableRegion',
          ],
          Resource: '*',
        },
      ],
    },
  }
);
👀 1
b
not immediately but can take a closer look tomorrow
💡 1
f
thanks!! it’s been driving me a lil nuts haha