copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Can the generated `ExecutionRole` policies be customised?

Open AP-Hunt opened this issue 3 years ago • 8 comments

Hi folks,

With Copilot 1.21.1, I can see that the policy attached to the execution role generated in the $NAME-infrastructure-roles stack contains the following statements:

{
    "Action": [
        "cloudformation:*",
        "s3:*",
        "sns:*"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Sid": "StackSetRequiredPermissions"
},
{
    "Action": [
        "kms:*"
    ],
    "Resource": "*",
    "Effect": "Allow",
    "Sid": "ManageKMSKeys"
},

Is it possible to customise the attached policy? I'm looking at deploy something with Copilot into an existing AWS account with a number of existing KMS and S3 resources (among others). The policy as it stands is rather broad, and it would be great to be able restrict the permissions in all the regular ways.

Thanks

AP-Hunt avatar Sep 15 '22 15:09 AP-Hunt

Hello @AP-Hunt.

I'm looking at deploy something with Copilot into an existing AWS account with a number of existing KMS and S3 resources (among others).

Do you want to use existing KMS and S3 resources so that Copilot won't create one for you, and the ExecutionRole can be scoped down accordingly?

iamhopaul123 avatar Sep 15 '22 15:09 iamhopaul123

Do you want to use existing KMS and S3 resources so that Copilot won't create one for you, and the ExecutionRole can be scoped down accordingly?

No, I'd like it to create everything it needs, but not have permission to touch things it didn't create.

AP-Hunt avatar Sep 15 '22 15:09 AP-Hunt

Gotcha. So for StackSetRequiredPermissions it is the minimal requirement according to https://go.aws/3Sa5Tcf. And for the KMS key management, it might be possible that we have some room for making it minimal:

"Key administrators have permissions to manage the KMS key, but do not have permissions to use the KMS key in cryptographic operations." According to this.

iamhopaul123 avatar Sep 15 '22 17:09 iamhopaul123

Hi, sorry, that PR doesn't address the issue I raised. I'd like to be able to customise the policy for myself to restrict it beyond what it is today.

AP-Hunt avatar Sep 16 '22 09:09 AP-Hunt

ooh sorry i'll reopen the issue. Would you mind to tell us what customization would you like to do to the ExecutionRole? Without those two abovementioned permissions Copilot might not work well.

iamhopaul123 avatar Sep 16 '22 15:09 iamhopaul123

Sure thing. I'd like to be able to write a policy that restricts copilot to only touching things it created, using naming conventions. For example

{
    "Action": [
        "kms:*"
    ],
    "Resource": "arn:aws:kms:key/${APP_NAME}-*",
    "Effect": "Allow",
    "Sid": "ManageKMSKeys"
},

Or something to that effect. I don't imagine this kind of policy is one you'd want to build directly in to copilot itself, but it would be nice to be able to add that as a user.

AP-Hunt avatar Sep 16 '22 16:09 AP-Hunt

Yeah that won't work because the KMS resource arn is pretty random like this arn:aws:kms:us-west-2:1234567890:key/c0ab6774-9c66-48fa-89c4-d8d6a731d2d7. I've been trying to use tags as a condition to further scope down the policy and it doesn't seen to work, and this is the doc I referred to. I'll be more than happy to scope down the permission if you have any idea on how you'd like to customize.

iamhopaul123 avatar Sep 16 '22 18:09 iamhopaul123

Limiting by tags would have been my next suggestion. It's a shame it sounds like that doesn't work either :( I think this may be a dead end for this particular issue.

AP-Hunt avatar Sep 20 '22 09:09 AP-Hunt