Setting up the Technical GitHub Actions IAM User (again) about stratospheric HOT 5 CLOSED

I simple solution would be to assign the arn:aws:iam::aws:policy/IAMFullAccess policy to your CI user (or one of the user groups that user belongs to). This policy includes these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:*",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "*"
        }
    ]
}

See this link from the official IAM documentation for more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

from stratospheric.

Thanks for this additional input.

As for the SystemAdministrator policy, it belongs to the job-function namespace: arn:aws:iam::aws:policy/job-function/SystemAdministrator. You might have to add that namespace to the name of the policy (like job-function/SystemAdministrator) for your script to work:

    val managedGroupPolicies = listOf(
        "AWSCertificateManagerFullAccess",
        "AWSCloudFormationFullAccess",
        "AWSKeyManagementServicePowerUser",
        "AWSLambda_FullAccess",
        "AmazonCognitoPowerUser",
        "AmazonEC2ContainerRegistryFullAccess",
        "AmazonEC2FullAccess",
        "AmazonECS_FullAccess",
        "AmazonMQApiFullAccess",
        "AmazonRDSFullAccess",
        "AmazonS3FullAccess",
        "AmazonSSMFullAccess",
        "IAMReadOnlyAccess",
        "job-function/SystemAdministrator",
    ).map { ManagedPolicy.fromAwsManagedPolicyName(it) }

As for the limit of 10 policies per user we'll add this further explanation to the appendix in the next edition:

Since AWS imposes a limit of 10 policies per user ("Cannot exceed quota for PoliciesPerUser: 10"), you need to create user groups, attach the policies to the groups, and add the user to those groups.

For example, you can create a group called EC2_users, attach the following policies, and subsequently add your IAM user to that group (repeat for any other required permission policies):

• AmazonEC2ContainerRegistryFullAccess
• AmazonEC2FullAccess
• AmazonECS_FullAccess

from stratospheric.

D'oh! Using more than one group to prevent reaching the policy quota did not occur to me until now. 🤦‍♂️ That worked of course and I now finally have all the policies mentioned in the book attached to my CI user.

But now it complains, that the CI user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::***:role/cdk-hnb659fds-cfn-exec-role-***-*** because no identity-based policy allows the iam:PassRole action. ¹

This role comes from the CDKToolkit stack and refers to the logical id DeploymentActionRole. I already googled a bit on how to make the CI user assume this role but I failed to set that up.

Could you maybe point me in the right direction? Or is there another managed policy my CI user needs in order to be allowed to assume this role?

from stratospheric.

Please reopen if you have any further questions.

from stratospheric.

Thanks! I'm going with IAMFullAccess now and it works! 🚀

from stratospheric.