iamy icon indicating copy to clipboard operation
iamy copied to clipboard

Published 20 hours ago verified publisher icon 99designs

Support for AWS service-linked roles

Open elyscape opened this issue 6 years ago • 1 comments

Roles with a prefix beginning with /aws-service-role/ and a name beginning with AWSServiceRoleFor have special handling by AWS and must be created as service-linked roles. Currently, it tries to define them as regular roles, leading to failure:

myhost:iamy-policies elyscape$ cat REDACTED/iam/role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS.yaml
AssumeRolePolicyDocument:
  Statement:
  - Action: sts:AssumeRole
    Effect: Allow
    Principal:
      Service: ecs.amazonaws.com
  Version: 2012-10-17
Description: Allows ECS to create and manage AWS resources on your behalf.
Policies:
- arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy
myhost:iamy-policies elyscape$ iamy push
Commands to push changes to AWS:

      aws iam create-role --role-name AWSServiceRoleForECS --path /aws-service-role/ecs.amazonaws.com/ --description 'Allows ECS to create and manage AWS resources on your behalf.' --assume-role-policy-document '{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      }
    }
  ],
  "Version": "2012-10-17"
}'
      aws iam attach-role-policy --role-name AWSServiceRoleForECS --policy-arn arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy

Run 2 aws commands (0 destructive)? (y/N) y

> aws iam create-role --role-name AWSServiceRoleForECS --path /aws-service-role/ecs.amazonaws.com/ --description 'Allows ECS to create and manage AWS resources on your behalf.' --assume-role-policy-document '{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      }
    }
  ],
  "Version": "2012-10-17"
}'

An error occurred (InvalidInput) when calling the CreateRole operation: Path prefix '/aws-service-role/' can only be used for AWS Service linked Roles
exit status 255

The role definition was generated by running:

aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com --description 'Allows ECS to create and manage AWS resources on your behalf.'

and then running iamy pull.

elyscape avatar Sep 28 '18 22:09 elyscape

@elyscape https://github.com/99designs/iamy/pull/53 has landed and ignores AWS service roles. That should effectively fix this issue.

simpsora avatar Jan 21 '19 00:01 simpsora