aws
Provide Default Policy for copilot execution user
When running copilot init after aws configure one has to fight through many "not authorized" errors before the application actually can be deployed (SSM access, cloud formation access, etc.).
Am I missing something?
There should be a hint in the documentation on how to configure permissions for the copilot execution user. An example policy would be very helpful, so that one does not has not to start from scratch.
I am currently working on a cloudformation template, but probably there are already some existing solutions?
Finally, this is the cloud formation template that I used to make copilot init run with the hello-world example.
AWSTemplateFormatVersion: 2010-09-09
Description: "Create a user equipped with permissions to create a copilot deployment stack."
Resources:
copilotUser:
Type: 'AWS::IAM::User'
copilotUserGroup:
Type: 'AWS::IAM::Group'
Properties:
GroupName: copilotUserGroup
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMFullAccess
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
- arn:aws:iam::aws:policy/IAMFullAccess
- arn:aws:iam::aws:policy/AWSCloudMapFullAccess
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AmazonECS_FullAccess
- arn:aws:iam::aws:policy/AWSLambdaFullAccess
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
addUserToGroup:
Type: 'AWS::IAM::UserToGroupAddition'
Properties:
GroupName: !Ref copilotUserGroup
Users:
- !Ref copilotUser
copilotAccessKeys:
Type: 'AWS::IAM::AccessKey'
Properties:
UserName:
Ref: "copilotUser"
copilotPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: 'copilotPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource: '*'
Groups:
- !Ref copilotUserGroup
Outputs:
AwsAccessKey:
Description: "Access token"
Value: !Ref copilotAccessKeys
AwsAccessToken:
Description: "Access token"
Value: !GetAtt copilotAccessKeys.SecretAccessKey
Hi @andreas-gruenwald !
Thank you so much for providing a template with the sample list of policies to be a Copilot admin. You're right we don't have it yet in our documentation, I've added a "documentation" label for us to keep it in mind in the future.
First of all, I love the project, kudo to everyone here. That said, I agree that this was the most annoying part for me trying out the deployments. Having user or group creation, or at least listing out required permissions would definitely make for a better onboarding experience for new users.
Adding to the above roles, if you are using secrets it also requires parameter store permissions (ssm:PutParameter, GetParameter, etc).
I realize its a little tricky to dig these all out but also probably best to be a little finer-grained on some of the permissions vs broader managed policies.
@andreas-gruenwald, Thanks for posting the credential list. You saved me tons of time.
FYI. I had to add the policy AmazonRoute53FullAccess when using the --domain argument with the command $ copilot app init --MYDOMAIN
Ended up with this for our minimal permissions. For our usecase we added full DynamoDB, S3 and KMS but that can easily be removed. Currently we don't have a requirement for Route53 domain management.
Resources:
developerrole79A28402:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::OTHER_ACCOUNT_NUMBER:root
Version: "2012-10-17"
Description: Developer role for copilot-perms-demo
RoleName: developer-role
Metadata:
aws:cdk:path: InfrastructureStack/developer-role/Resource
computepolicy04C11CFB:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- ecs:DescribeClusters
- ecs:DeleteCluster
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :cluster/*
- Action:
- ecs:CreateCluster
- ecr:GetAuthorizationToken
Effect: Allow
Resource: "*"
- Action:
- ecr:PutImageTagMutability
- ecr:StartImageScan
- ecr:ListTagsForResource
- ecr:UploadLayerPart
- ecr:BatchDeleteImage
- ecr:ListImages
- ecr:DeleteRepository
- ecr:CompleteLayerUpload
- ecr:TagResource
- ecr:DescribeRepositories
- ecr:DeleteRepositoryPolicy
- ecr:BatchCheckLayerAvailability
- ecr:GetLifecyclePolicy
- ecr:PutLifecyclePolicy
- ecr:DescribeImageScanFindings
- ecr:GetLifecyclePolicyPreview
- ecr:CreateRepository
- ecr:PutImageScanningConfiguration
- ecr:GetDownloadUrlForLayer
- ecr:DeleteLifecyclePolicy
- ecr:PutImage
- ecr:UntagResource
- ecr:SetRepositoryPolicy
- ecr:BatchGetImage
- ecr:DescribeImages
- ecr:StartLifecyclePolicyPreview
- ecr:InitiateLayerUpload
- ecr:GetRepositoryPolicy
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ecr:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :repository/*
- Action:
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancingv2:CreateLoadBalancer
- elasticloadbalancingv2:DeleteLoadBalancer
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:elasticloadbalancing:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :loadbalancer/*
- Action:
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
- elasticloadbalancingv2:CreateTargetGroup
- elasticloadbalancingv2:DeleteTargetGroup
- elasticloadbalancingv2:ModifyTargetGroupAttributes
- elasticloadbalancingv2:AddTags
- elasticloadbalancingv2:RemoveTags
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:elasticloadbalancing:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :targetgroup/*
- Action:
- elasticloadbalancing:DescribeTargetGroups
- elasticloadbalancing:DescribeLoadBalancers
Effect: Allow
Resource: "*"
- Action:
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:GetFunction
- lambda:GetFunctionConfiguration
- lambda:InvokeFunction
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:lambda:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :function:*
Version: "2012-10-17"
Description: ""
ManagedPolicyName: compute-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/compute-policy/Resource
environmentpolicy5A7E6843:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- ssm:GetParameter
- ssm:PutParameter
- ssm:GetParametersByPath
- ssm:DeleteParameter
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ssm:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :parameter/copilot/*
- Action:
- cloudformation:DescribeStacks
- cloudformation:CreateChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:DeleteStack
- cloudformation:DeleteChangeSet
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stack/*
- Action:
- cloudformation:CreateStackSet
- cloudformation:TagResource
- cloudformation:DescribeStackSet
- cloudformation:UpdateStackSet
- cloudformation:DescribeStackSetOperation
- cloudformation:ListStackInstances
- cloudformation:DeleteStackSet
- cloudformation:CreateStackInstances
- cloudformation:DeleteStackInstances
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stackset/*
- Action:
- iam:GetRole
- iam:CreateRole
- iam:PutRolePolicy
- iam:DeleteRolePolicy
- iam:DeleteRole
- iam:PassRole
- iam:getRolePolicy
- iam:TagRole
- iam:UntagRole
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/*
- Action: sts:AssumeRole
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/*EnvManagerRole
- Action:
- servicediscovery:DeleteNamespace
- servicediscovery:GetNamespace
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:servicediscovery:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :namespace/*
- Action:
- servicediscovery:CreatePrivateDnsNamespace
- servicediscovery:TagResource
- servicediscovery:UntagResource
- servicediscovery:GetOperation
- servicediscovery:ListNamespaces
Effect: Allow
Resource: "*"
- Action: route53:ListHostedZones
Effect: Allow
Resource: "*"
- Action:
- route53:CreateHostedZone
- route53:GetHostedZone
- route53:DeleteHostedZone
Effect: Allow
Resource: "*"
Version: "2012-10-17"
Description: ""
ManagedPolicyName: environment-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/environment-policy/Resource
networkingpolicy499FC87E:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- ec2:CreateNatGateway
- ec2:CreateSecurityGroup
- ec2:CreateInternetGateway
- ec2:CreateVpc
- ec2:DeleteInternetGateway
- ec2:DeleteVpc
- ec2:DeleteNatGateway
- ec2:DeleteSecurityGroup
- ec2:CreateRoute
- ec2:DeleteRoute
- ec2:CreateSubnet
- ec2:DeleteRouteTable
- ec2:AuthorizeSecurityGroupIngress
- ec2:RevokeSecurityGroupIngress
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :vpc/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :natgateway/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :security-group/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :internet-gateway/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :subnet/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :route-table/*
- Action:
- ec2:DeleteSubnet
- ec2:CreateRouteTable
- ec2:DescribeInternetGateways
- ec2:DescribeVpcs
- ec2:DeleteTags
- ec2:CreateTags
- ec2:ModifyVpcAttribute
- ec2:DescribeAvailabilityZones
- ec2:AttachInternetGateway
- ec2:DescribeSecurityGroups
- ec2:DescribeAccountAttributes
- ec2:DescribeSubnets
- ec2:DescribeRouteTables
- ec2:DetachInternetGateway
- ec2:ModifySubnetAttribute
- ec2:DisassociateRouteTable
- ec2:AssociateRouteTable
Effect: Allow
Resource: "*"
Version: "2012-10-17"
Description: ""
ManagedPolicyName: networking-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/networking-policy/Resource
storagepolicy5350DAA0:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetBucketTagging
- s3:CreateBucket
- s3:ListBucket
- s3:GetBucketVersioning
- s3:PutBucketCORS
- s3:GetBucketAcl
- s3:DeleteBucketPolicy
- s3:GetBucketPolicy
- s3:PutEncryptionConfiguration
- s3:GetEncryptionConfiguration
- s3:PutBucketTagging
- s3:GetBucketCORS
- s3:PutBucketAcl
- s3:PutBucketPolicy
- s3:GetBucketLocation
- s3:DeleteBucket
- s3:PutBucketVersioning
Effect: Allow
Resource: arn:aws:s3:::*
- Action:
- s3:DeleteObjectTagging
- s3:PutObject
- s3:GetObjectAcl
- s3:GetObject
- s3:DeleteObjectVersion
- s3:GetObjectVersionAcl
- s3:GetObjectTagging
- s3:PutObjectTagging
- s3:DeleteObject
- s3:PutObjectAcl
Effect: Allow
Resource: arn:aws:s3:::*/*
- Action: s3:ListAllMyBuckets
Effect: Allow
Resource: "*"
- Action:
- kms:EnableKey
- kms:GetPublicKey
- kms:Decrypt
- kms:UntagResource
- kms:PutKeyPolicy
- kms:GenerateDataKeyWithoutPlaintext
- kms:Verify
- kms:ListResourceTags
- kms:CancelKeyDeletion
- kms:GenerateDataKeyPair
- kms:TagResource
- kms:Encrypt
- kms:GetKeyRotationStatus
- kms:ScheduleKeyDeletion
- kms:ReEncryptTo
- kms:DescribeKey
- kms:Sign
- kms:CreateGrant
- kms:EnableKeyRotation
- kms:ListKeyPolicies
- kms:UpdateKeyDescription
- kms:GetKeyPolicy
- kms:GenerateDataKeyPairWithoutPlaintext
- kms:DisableKey
- kms:ReEncryptFrom
- kms:DisableKeyRotation
- kms:RetireGrant
- kms:ListGrants
- kms:UpdateAlias
- kms:RevokeGrant
- kms:GenerateDataKey
- kms:CreateAlias
- kms:DeleteAlias
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:kms:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :alias/*
- Fn::Join:
- ""
- - "arn:aws:kms:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :key/*
- Action:
- kms:ListKeys
- kms:GenerateRandom
- kms:ListAliases
- kms:CreateKey
Effect: Allow
Resource: "*"
- Action:
- dynamodb:Scan
- dynamodb:Query
- dynamodb:DescribeStream
- dynamodb:UpdateGlobalTable
- dynamodb:UpdateGlobalTableSettings
- dynamodb:DescribeGlobalTableSettings
- dynamodb:GetShardIterator
- dynamodb:DescribeGlobalTable
- dynamodb:RestoreTableFromBackup
- dynamodb:CreateGlobalTable
- dynamodb:DescribeBackup
- dynamodb:DeleteBackup
- dynamodb:GetRecords
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*/stream/*
- Fn::Join:
- ""
- - "arn:aws:dynamodb::"
- Ref: AWS::AccountId
- :global-table/*
- Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*/index/*
- Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*/backup/*
- Action:
- dynamodb:DeleteItem
- dynamodb:RestoreTableToPointInTime
- dynamodb:ListTagsOfResource
- dynamodb:CreateTableReplica
- dynamodb:UpdateGlobalTable
- dynamodb:CreateBackup
- dynamodb:DeleteTable
- dynamodb:UpdateTableReplicaAutoScaling
- dynamodb:UpdateContinuousBackups
- dynamodb:TagResource
- dynamodb:DescribeTable
- dynamodb:GetItem
- dynamodb:DescribeContinuousBackups
- dynamodb:CreateGlobalTable
- dynamodb:BatchGetItem
- dynamodb:UpdateTimeToLive
- dynamodb:BatchWriteItem
- dynamodb:ConditionCheckItem
- dynamodb:UntagResource
- dynamodb:PutItem
- dynamodb:Scan
- dynamodb:Query
- dynamodb:UpdateItem
- dynamodb:DescribeTimeToLive
- dynamodb:CreateTable
- dynamodb:UpdateGlobalTableSettings
- dynamodb:RestoreTableFromBackup
- dynamodb:ExportTableToPointInTime
- dynamodb:UpdateTable
- dynamodb:DescribeTableReplicaAutoScaling
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*
- Action:
- dynamodb:ListGlobalTables
- dynamodb:ListTables
- dynamodb:DescribeReservedCapacity
- dynamodb:ListBackups
- dynamodb:DescribeLimits
- dynamodb:ListStreams
Effect: Allow
Resource: "*"
Version: "2012-10-17"
Description: ""
ManagedPolicyName: storage-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/storage-policy/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Modules: aws-cdk=1.73.0,@aws-cdk/aws-iam=1.73.0,@aws-cdk/cloud-assembly-schema=1.73.0,@aws-cdk/core=1.73.0,@aws-cdk/cx-api=1.73.0,@aws-cdk/region-info=1.73.0,jsii-runtime=node.js/v14.14.0
Metadata:
aws:cdk:path: InfrastructureStack/CDKMetadata/Default
Condition: CDKMetadataAvailable
Conditions:
CDKMetadataAvailable:
Fn::Or:
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- ap-east-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-2
- Fn::Equals:
- Ref: AWS::Region
- ap-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-2
- Fn::Equals:
- Ref: AWS::Region
- ca-central-1
- Fn::Equals:
- Ref: AWS::Region
- cn-north-1
- Fn::Equals:
- Ref: AWS::Region
- cn-northwest-1
- Fn::Equals:
- Ref: AWS::Region
- eu-central-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- eu-north-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-2
- Fn::Equals:
- Ref: AWS::Region
- eu-west-3
- Fn::Equals:
- Ref: AWS::Region
- me-south-1
- Fn::Equals:
- Ref: AWS::Region
- sa-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-2
- Fn::Equals:
- Ref: AWS::Region
- us-west-1
- Fn::Equals:
- Ref: AWS::Region
- us-west-2
Still got an error: Application name: demo ✘ get application demo: get application demo: AccessDeniedException: User: arn:aws:iam::xxx:user/[email protected] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxx:parameter/copilot/applications/demo
getting the same error as well, even with an admin user. Where is the cloudformation file supposed to go?
Note that the AWSLambdaFullAccess policy is now gone and the new policy called AWSLambda_FullAccess
When running
copilot initafteraws configureone has to fight through many "not authorized" errors before the application actually can be deployed (SSM access, cloud formation access, etc.).Am I missing something?
There should be a hint in the documentation on how to configure permissions for the copilot execution user. An example policy would be very helpful, so that one does not has not to start from scratch.
I am currently working on a cloudformation template, but probably there are already some existing solutions?
Finally, this is the cloud formation template that I used to make
copilot initrun with the hello-world example.AWSTemplateFormatVersion: 2010-09-09 Description: "Create a user equipped with permissions to create a copilot deployment stack." Resources: copilotUser: Type: 'AWS::IAM::User' copilotUserGroup: Type: 'AWS::IAM::Group' Properties: GroupName: copilotUserGroup ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMFullAccess - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess - arn:aws:iam::aws:policy/IAMFullAccess - arn:aws:iam::aws:policy/AWSCloudMapFullAccess - arn:aws:iam::aws:policy/AmazonEC2FullAccess - arn:aws:iam::aws:policy/AmazonECS_FullAccess - arn:aws:iam::aws:policy/AWSLambdaFullAccess - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess addUserToGroup: Type: 'AWS::IAM::UserToGroupAddition' Properties: GroupName: !Ref copilotUserGroup Users: - !Ref copilotUser copilotAccessKeys: Type: 'AWS::IAM::AccessKey' Properties: UserName: Ref: "copilotUser" copilotPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: 'copilotPolicy' PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - sts:AssumeRole Resource: '*' Groups: - !Ref copilotUserGroup Outputs: AwsAccessKey: Description: "Access token" Value: !Ref copilotAccessKeys AwsAccessToken: Description: "Access token" Value: !GetAtt copilotAccessKeys.SecretAccessKey
Could you share if you had success with any of this? I'm using kinesis KCL which needs the credentials as environment variables and this would be perfect the only problem I have when deploying is that the resource names must be unique between environments and applications, so I don't know how to change the name 'addUserToGroup' to '${App}-${Env}-addUserToGroup' for example
same error:
✘ get application demo: get application demo: AccessDeniedException: User: arn:aws:iam::xxxxxxxxxxxxxx:user/demo is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-northeast-1:xxxxxxxxxxxxxx:parameter/copilot/applications/demo because no identity-based policy allows the ssm:GetParameter action status code: 400, request id: xxxxxxx-xxxx-xxx-xxxx
But there is no ssm and cloud formation generated by copilot. I can't delete or init app, env, svc....orz
Sorry, solved. The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in my local .env file were overwriting the values in my copilot profile at runtime. I commented these out and it worked.
Hi , Anyone can help. I deployed my applications in ecs using aws-copilot tool in my local system. my system got corrupted My all files are gone . I reinstalled Os again, Now how to connect my already deployed ecs containers using aws copilot tool.
Hello @Dhina-test ! To restore a workspace, you can do the following
Register your workspace
# 1. Navigate to your workspace.
$ cd <your workspace directory>
$ copilot app init
> Would you like to use one of your existing applications?
# Select the app that you want
This will create copilot/.workspace file so that Copilot knows which application the workspace is for.
Restore service manifest
Now you will need to restore your service manifests. Say you have a service named mysvc:
# From your workspace...
# 2. Create the directory for the "mysvc" service.
$ mkdir -p copilot/mysvc
# 3. Fetch your service configuration.
$ copilot svc show -n mysvc --manifest test > copilot/mysvc/manifest.yml
If step 3 gives you an error that says manifest metadata not found in template of stack web-and-backend-test-web, please let me know!
Restore environment manifest
Environments used to be immutable - environment manifest was only introduced in v1.20 from last week's release. Therefore, it's likely that you didn't have any environment manifest yet. So feel free to skip this step for now.
It is however recommended to have environment manifests because running env init and env deploy with an environment manifest (just like the svc workflow) will be the workflow going forward. Here are the instructions to migrate. If you do want to migrate, feel free to do so after - not during - you restore your workspace.
I'm still somewhat confused here, I see this note in the docs, but unclear what permissions a new IAM user will need, has this been documented anywhere?
You cannot use the AWS account root user credentials for your application. Please first create an IAM user instead as described [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html).
