Comments (5)
I simple solution would be to assign the arn:aws:iam::aws:policy/IAMFullAccess
policy to your CI user (or one of the user groups that user belongs to). This policy includes these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:ListPoliciesForTarget",
"organizations:ListRoots",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy"
],
"Resource": "*"
}
]
}
See this link from the official IAM documentation for more details:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
from stratospheric.
Thanks for this additional input.
As for the SystemAdministrator
policy, it belongs to the job-function
namespace: arn:aws:iam::aws:policy/job-function/SystemAdministrator
. You might have to add that namespace to the name of the policy (like job-function/SystemAdministrator
) for your script to work:
val managedGroupPolicies = listOf(
"AWSCertificateManagerFullAccess",
"AWSCloudFormationFullAccess",
"AWSKeyManagementServicePowerUser",
"AWSLambda_FullAccess",
"AmazonCognitoPowerUser",
"AmazonEC2ContainerRegistryFullAccess",
"AmazonEC2FullAccess",
"AmazonECS_FullAccess",
"AmazonMQApiFullAccess",
"AmazonRDSFullAccess",
"AmazonS3FullAccess",
"AmazonSSMFullAccess",
"IAMReadOnlyAccess",
"job-function/SystemAdministrator",
).map { ManagedPolicy.fromAwsManagedPolicyName(it) }
As for the limit of 10 policies per user we'll add this further explanation to the appendix in the next edition:
Since AWS imposes a limit of 10 policies per user ("Cannot exceed quota for PoliciesPerUser: 10"), you need to create user groups, attach the policies to the groups, and add the user to those groups.
For example, you can create a group called
EC2_users
, attach the following policies, and subsequently add your IAM user to that group (repeat for any other required permission policies):
- AmazonEC2ContainerRegistryFullAccess
- AmazonEC2FullAccess
- AmazonECS_FullAccess
from stratospheric.
D'oh! Using more than one group to prevent reaching the policy quota did not occur to me until now. 🤦♂️ That worked of course and I now finally have all the policies mentioned in the book attached to my CI user.
But now it complains, that the CI user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::***:role/cdk-hnb659fds-cfn-exec-role-***-*** because no identity-based policy allows the iam:PassRole action
. 1
This role comes from the CDKToolkit
stack and refers to the logical id DeploymentActionRole
. I already googled a bit on how to make the CI user assume this role but I failed to set that up.
Could you maybe point me in the right direction? Or is there another managed policy my CI user needs in order to be allowed to assume this role?
Footnotes
from stratospheric.
Please reopen if you have any further questions.
from stratospheric.
Thanks! I'm going with IAMFullAccess
now and it works! 🚀
from stratospheric.
Related Issues (20)
- Error performing - 1.06 - Deploying a Service Stack with CloudFormation HOT 1
- ECS error log when npm run service:deploy HOT 3
- Tracing User Actions with Amazon DyanomoDB missing initialization HOT 2
- Collaborator - user not able to login to accepts the invite. HOT 6
- Bug in chapter 10 - "npm run service:deploy" includes more than a single stack HOT 3
- Bug Chapter 10 - The deployment of the ECS Service freeze HOT 1
- Readability: The transparent version of the Stratospheric Technical Architecture Image in the README.md is not readable on a dark mode background. Use the non-transparent image instead HOT 2
- Fix the answers for two questions in quizzes 1 and 6 HOT 2
- Let students restart the course and take the quizzes as many times as they like. HOT 5
- Build Issues on Mac M3 HOT 3
- Add information on required mapping of / HOT 2
- Container based on ActiveMQ image not starting in Windows 10 HOT 1
- local-aws-infrastructure.sh not invoked HOT 1
- Inconsistancy - Book contains legacy output declaration for GithubActions HOT 1
- Possible conflict between prerequisites and instructions in the appendix HOT 2
- micrometer-registry-cloudwatch2 should be used instead of micrometer-registry-cloudwatch? HOT 1
- Extend discussion of Todo app integration with Spring Boot to mobile app context for Cognito HOT 1
- Unable to create Cognito App HOT 10
- Clarification on deploying multiple apps using same account HOT 1
- IAM role relationship diagram improvement HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stratospheric.