Comments (4)
BjoernKW
commented on August 15, 2024
Thanks for the feedback! Could you please try and use these AWS-managed policies instead?
- AmazonEC2FullAccess
- AmazonECS_FullAccess
- AWSLambda_FullAccess
- AWSCloudFormationFullAccess
- AmazonCognitoPowerUser
The AWS-managed AmazonEC2ContainerServiceFullAccess policy has been phased out (see https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security-iam-awsmanpol-amazonecs-full-access-migration.html )
Both Permissive_CloudFormation_permissions and Manage_Cognito_user_pools are custom policies we've set up ourselves (and which therefore won't work out of the box; so, thanks again for notifying us about this issue). The default AWS policies mentioned above are somewhat more permissive in that they allow actions which are probably not required by our setup, but they're easier to get started with than by setting up those custom policies in the IAM console individually.
I know this runs against the principle of least privilege. Hence, we'll consider describing these more restrictive permission sets in a future edition of the ebook. Anyway, the next minor release of the ebook will contain a modified list of policies including the ones mentioned above.
from stratospheric.
Partyschaum
commented on August 15, 2024
Thank you so much for the fast response. 💚 🚀
It works now. 👍
from stratospheric.
Partyschaum
commented on August 15, 2024
Moin,
I just wanted to give you additional feedback on this. Today I tried to push images to my private ECR repository and got An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::***:user/github is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action.
After some google-foo I found an example on Accessing One Amazon ECR Repository which I then applied to the CF stack for my GitHub user. I'm not sure if those rights are too broad but it made the login and pushing images to the private ECR repository finally possible.
Maybe you want to add this to the next minor release of the ebook too. 👍
val managedGroupPolicies = listOf(
"AmazonEC2FullAccess",
"AmazonECS_FullAccess",
"AmazonCognitoPowerUser",
"AWSCloudFormationFullAccess",
"AWSLambda_FullAccess",
).map { ManagedPolicy.fromAwsManagedPolicyName(it) }
val gitHubActionsGroup = Group(
gitHubActionsStack,
"GitHubActionsGroup",
GroupProps.builder()
.groupName(gitHubActionsGroupName)
.managedPolicies(managedGroupPolicies)
.build()
).also {
it.addToPolicy(
PolicyStatement.Builder.create()
.sid("GetAuthorizationToken")
.effect(Effect.ALLOW)
.actions(listOf("ecr:GetAuthorizationToken"))
.resources(listOf("*"))
.build()
)
it.addToPolicy(
PolicyStatement.Builder.create()
.sid("ListImagesInRepository")
.effect(Effect.ALLOW)
.actions(listOf("ecr:ListImages"))
.resources(listOf("*"))
.build()
)
it.addToPolicy(
PolicyStatement.Builder.create()
.sid("ManageRepositoryContents")
.effect(Effect.ALLOW)
.actions(
listOf(
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
)
)
.resources(listOf("*"))
.build()
)
}
val gitHubActionsUser = User(
gitHubActionsStack,
"GitHubActionsUser",
UserProps.builder()
.userName(gitHubActionsUserName)
.managedPolicies(managedGroupPolicies)
.groups(listOf(gitHubActionsGroup))
.build()
)from stratospheric.
BjoernKW
commented on August 15, 2024
Thanks for the additional feedback! The ecr:GetAuthorizationToken permissions is part of the AmazonEC2ContainerRegistryFullAccess policy, which I didn't mention in my comment (but which is listed in the appendix of the ebook).
from stratospheric.
Related Issues (20)
- Error performing - 1.06 - Deploying a Service Stack with CloudFormation HOT 1
- ECS error log when npm run service:deploy HOT 3
- Tracing User Actions with Amazon DyanomoDB missing initialization HOT 2
- Collaborator - user not able to login to accepts the invite. HOT 6
- Bug in chapter 10 - "npm run service:deploy" includes more than a single stack HOT 3
- Bug Chapter 10 - The deployment of the ECS Service freeze HOT 1
- Readability: The transparent version of the Stratospheric Technical Architecture Image in the README.md is not readable on a dark mode background. Use the non-transparent image instead HOT 2
- Fix the answers for two questions in quizzes 1 and 6 HOT 2
- Let students restart the course and take the quizzes as many times as they like. HOT 5
- Build Issues on Mac M3 HOT 3
- Add information on required mapping of / HOT 2
- Container based on ActiveMQ image not starting in Windows 10 HOT 1
- local-aws-infrastructure.sh not invoked HOT 1
- Inconsistancy - Book contains legacy output declaration for GithubActions HOT 1
- Possible conflict between prerequisites and instructions in the appendix HOT 2
- micrometer-registry-cloudwatch2 should be used instead of micrometer-registry-cloudwatch? HOT 1
- Extend discussion of Todo app integration with Spring Boot to mobile app context for Cognito HOT 1
- Unable to create Cognito App HOT 10
- Clarification on deploying multiple apps using same account HOT 1
- IAM role relationship diagram improvement HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stratospheric.