Variable docker_machine_role_json Sets Assume-Role Policy Not Role Policy

[bliles]

trafficstars

The variables docker_machine_role_json and instance_role_json are described as "instance override policy" which would seem to indicate that these could allow us to set custom permissions for these policies. If our docker machine instances for example need to access IAM resources it would be helpful to be able to configure custom permissions for the docker machine.

However, these two variables do not allow us to configure additional permissions, but only configure the assume-role policy for these roles. Since the role will always be assumed by an ec2 instance in our account, I don't believe this was the intention.

[npalm]

Docker machien only support the instance role https://docs.docker.com/machine/drivers/aws/ Will have a look later this week

[bliles]

Yeah, I understand. I was mostly pointing out that the docker_machine_role_json variable might be unnecessary, since I don't think there's ever a reason we would need to override the assume role policy.

[trallnag]

@bliles, I don't agree with this statement. At my company (and probably we aren't the only ones) our AWS accounts all enforce that every role must trust a specific entity that is used for auditing and monitoring. Therefore I use docker_machine_role_json to set my own policy and add the additional trusted entity to it

[kayman-mk]

Related to #272

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

[kayman-mk]

Closed in favor of #272 It's a duplicate.