aws
Document requirements for Task Roles created manually
I've found that the arn:aws:iam::xxxxxxxxxxxx:role/xxx-EnvManagerRoleRole created by Copilot CLI will use the tags:
copilot-application
copilot-environment
To restrict some of the permissions that this role has. Specifically, I had issues understanding where and how add PassRole permissions to a manually created Role that I wanted to use in a copilot task run --task-role RoleName job.
The solution was to tag this manually created role with proper values for these tags, but I couldn't find this documented anywhere.
It would be useful to have this permissions documented centrally. In this particular case it would be nice to have this documented here but I'm sure there are other places like that that are hard to find without knowing the internals of these architecture decisions.
Hope this helps, Pablo
PS: The original error that triggered this analysis was:
✘ Failed to run taskname.
✘ run task taskname: run task taskname: run task(s) copilot-taskname: AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxxxxx:role:assumed-role/projectname-lab-test-EnvManagerRole/1608567341846890749 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxxxxxx:role/TaskRole
This issue is stale because it has been open 60 days with no response activity. Remove the stale label, add a comment, or this will be closed in 14 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is closed due to inactivity. Feel free to reopen the issue if you have any further questions!