Copilot-cli: Provide Default Policy for copilot execution user
When running copilot init after aws configure one has to fight through many "not authorized" errors before the application actually can be deployed (SSM access, cloud formation access, etc.).
Am I missing something?
There should be a hint in the documentation on how to configure permissions for the copilot execution user. An example policy would be very helpful, so that one does not has not to start from scratch.
I am currently working on a cloudformation template, but probably there are already some existing solutions?
Finally, this is the cloud formation template that I used to make copilot init run with the hello-world example.
AWSTemplateFormatVersion: 2010-09-09
Description: "Create a user equipped with permissions to create a copilot deployment stack."
Resources:
copilotUser:
Type: 'AWS::IAM::User'
copilotUserGroup:
Type: 'AWS::IAM::Group'
Properties:
GroupName: copilotUserGroup
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMFullAccess
- arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
- arn:aws:iam::aws:policy/IAMFullAccess
- arn:aws:iam::aws:policy/AWSCloudMapFullAccess
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/AmazonECS_FullAccess
- arn:aws:iam::aws:policy/AWSLambdaFullAccess
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess
addUserToGroup:
Type: 'AWS::IAM::UserToGroupAddition'
Properties:
GroupName: !Ref copilotUserGroup
Users:
- !Ref copilotUser
copilotAccessKeys:
Type: 'AWS::IAM::AccessKey'
Properties:
UserName:
Ref: "copilotUser"
copilotPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: 'copilotPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource: '*'
Groups:
- !Ref copilotUserGroup
Outputs:
AwsAccessKey:
Description: "Access token"
Value: !Ref copilotAccessKeys
AwsAccessToken:
Description: "Access token"
Value: !GetAtt copilotAccessKeys.SecretAccessKey
andreas-gruenwald
👍7
❤6
All 6 comments
Hi @andreas-gruenwald !
Thank you so much for providing a template with the sample list of policies to be a Copilot admin. You're right we don't have it yet in our documentation, I've added a "documentation" label for us to keep it in mind in the future.
efekarakus
on 1 Sep 2020
👍2
First of all, I love the project, kudo to everyone here. That said, I agree that this was the most annoying part for me trying out the deployments. Having user or group creation, or at least listing out required permissions would definitely make for a better onboarding experience for new users.
Adding to the above roles, if you are using secrets it also requires parameter store permissions (ssm:PutParameter, GetParameter, etc).
I realize its a little tricky to dig these all out but also probably best to be a little finer-grained on some of the permissions vs broader managed policies.
dan-pointchain
on 13 Sep 2020
👍1
@andreas-gruenwald, Thanks for posting the credential list.
You saved me tons of time.
FYI. I had to add the policy AmazonRoute53FullAccess when using the --domain argument with the command
$ copilot app init --MYDOMAIN
HiddenDeveloper
on 11 Oct 2020
👍2
Would really like to see a more limited set of policies.
ryanvade
on 13 Nov 2020
Ended up with this for our minimal permissions. For our usecase we added full DynamoDB, S3 and KMS but that can easily be removed. Currently we don't have a requirement for Route53 domain management.
Resources:
developerrole79A28402:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::OTHER_ACCOUNT_NUMBER:root
Version: "2012-10-17"
Description: Developer role for copilot-perms-demo
RoleName: developer-role
Metadata:
aws:cdk:path: InfrastructureStack/developer-role/Resource
computepolicy04C11CFB:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- ecs:DescribeClusters
- ecs:DeleteCluster
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ecs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :cluster/*
- Action:
- ecs:CreateCluster
- ecr:GetAuthorizationToken
Effect: Allow
Resource: "*"
- Action:
- ecr:PutImageTagMutability
- ecr:StartImageScan
- ecr:ListTagsForResource
- ecr:UploadLayerPart
- ecr:BatchDeleteImage
- ecr:ListImages
- ecr:DeleteRepository
- ecr:CompleteLayerUpload
- ecr:TagResource
- ecr:DescribeRepositories
- ecr:DeleteRepositoryPolicy
- ecr:BatchCheckLayerAvailability
- ecr:GetLifecyclePolicy
- ecr:PutLifecyclePolicy
- ecr:DescribeImageScanFindings
- ecr:GetLifecyclePolicyPreview
- ecr:CreateRepository
- ecr:PutImageScanningConfiguration
- ecr:GetDownloadUrlForLayer
- ecr:DeleteLifecyclePolicy
- ecr:PutImage
- ecr:UntagResource
- ecr:SetRepositoryPolicy
- ecr:BatchGetImage
- ecr:DescribeImages
- ecr:StartLifecyclePolicyPreview
- ecr:InitiateLayerUpload
- ecr:GetRepositoryPolicy
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ecr:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :repository/*
- Action:
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancingv2:CreateLoadBalancer
- elasticloadbalancingv2:DeleteLoadBalancer
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:elasticloadbalancing:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :loadbalancer/*
- Action:
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:AddTags
- elasticloadbalancing:RemoveTags
- elasticloadbalancingv2:CreateTargetGroup
- elasticloadbalancingv2:DeleteTargetGroup
- elasticloadbalancingv2:ModifyTargetGroupAttributes
- elasticloadbalancingv2:AddTags
- elasticloadbalancingv2:RemoveTags
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:elasticloadbalancing:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :targetgroup/*
- Action:
- elasticloadbalancing:DescribeTargetGroups
- elasticloadbalancing:DescribeLoadBalancers
Effect: Allow
Resource: "*"
- Action:
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:GetFunction
- lambda:GetFunctionConfiguration
- lambda:InvokeFunction
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:lambda:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :function:*
Version: "2012-10-17"
Description: ""
ManagedPolicyName: compute-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/compute-policy/Resource
environmentpolicy5A7E6843:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- ssm:GetParameter
- ssm:PutParameter
- ssm:GetParametersByPath
- ssm:DeleteParameter
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:ssm:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :parameter/copilot/*
- Action:
- cloudformation:DescribeStacks
- cloudformation:CreateChangeSet
- cloudformation:DescribeChangeSet
- cloudformation:ExecuteChangeSet
- cloudformation:DeleteStack
- cloudformation:DeleteChangeSet
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stack/*
- Action:
- cloudformation:CreateStackSet
- cloudformation:TagResource
- cloudformation:DescribeStackSet
- cloudformation:UpdateStackSet
- cloudformation:DescribeStackSetOperation
- cloudformation:ListStackInstances
- cloudformation:DeleteStackSet
- cloudformation:CreateStackInstances
- cloudformation:DeleteStackInstances
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:cloudformation:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :stackset/*
- Action:
- iam:GetRole
- iam:CreateRole
- iam:PutRolePolicy
- iam:DeleteRolePolicy
- iam:DeleteRole
- iam:PassRole
- iam:getRolePolicy
- iam:TagRole
- iam:UntagRole
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/*
- Action: sts:AssumeRole
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:iam::"
- Ref: AWS::AccountId
- :role/*EnvManagerRole
- Action:
- servicediscovery:DeleteNamespace
- servicediscovery:GetNamespace
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:servicediscovery:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :namespace/*
- Action:
- servicediscovery:CreatePrivateDnsNamespace
- servicediscovery:TagResource
- servicediscovery:UntagResource
- servicediscovery:GetOperation
- servicediscovery:ListNamespaces
Effect: Allow
Resource: "*"
- Action: route53:ListHostedZones
Effect: Allow
Resource: "*"
- Action:
- route53:CreateHostedZone
- route53:GetHostedZone
- route53:DeleteHostedZone
Effect: Allow
Resource: "*"
Version: "2012-10-17"
Description: ""
ManagedPolicyName: environment-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/environment-policy/Resource
networkingpolicy499FC87E:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- ec2:CreateNatGateway
- ec2:CreateSecurityGroup
- ec2:CreateInternetGateway
- ec2:CreateVpc
- ec2:DeleteInternetGateway
- ec2:DeleteVpc
- ec2:DeleteNatGateway
- ec2:DeleteSecurityGroup
- ec2:CreateRoute
- ec2:DeleteRoute
- ec2:CreateSubnet
- ec2:DeleteRouteTable
- ec2:AuthorizeSecurityGroupIngress
- ec2:RevokeSecurityGroupIngress
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :vpc/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :natgateway/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :security-group/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :internet-gateway/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :subnet/*
- Fn::Join:
- ""
- - "arn:aws:ec2:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :route-table/*
- Action:
- ec2:DeleteSubnet
- ec2:CreateRouteTable
- ec2:DescribeInternetGateways
- ec2:DescribeVpcs
- ec2:DeleteTags
- ec2:CreateTags
- ec2:ModifyVpcAttribute
- ec2:DescribeAvailabilityZones
- ec2:AttachInternetGateway
- ec2:DescribeSecurityGroups
- ec2:DescribeAccountAttributes
- ec2:DescribeSubnets
- ec2:DescribeRouteTables
- ec2:DetachInternetGateway
- ec2:ModifySubnetAttribute
- ec2:DisassociateRouteTable
- ec2:AssociateRouteTable
Effect: Allow
Resource: "*"
Version: "2012-10-17"
Description: ""
ManagedPolicyName: networking-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/networking-policy/Resource
storagepolicy5350DAA0:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:GetBucketTagging
- s3:CreateBucket
- s3:ListBucket
- s3:GetBucketVersioning
- s3:PutBucketCORS
- s3:GetBucketAcl
- s3:DeleteBucketPolicy
- s3:GetBucketPolicy
- s3:PutEncryptionConfiguration
- s3:GetEncryptionConfiguration
- s3:PutBucketTagging
- s3:GetBucketCORS
- s3:PutBucketAcl
- s3:PutBucketPolicy
- s3:GetBucketLocation
- s3:DeleteBucket
- s3:PutBucketVersioning
Effect: Allow
Resource: arn:aws:s3:::*
- Action:
- s3:DeleteObjectTagging
- s3:PutObject
- s3:GetObjectAcl
- s3:GetObject
- s3:DeleteObjectVersion
- s3:GetObjectVersionAcl
- s3:GetObjectTagging
- s3:PutObjectTagging
- s3:DeleteObject
- s3:PutObjectAcl
Effect: Allow
Resource: arn:aws:s3:::*/*
- Action: s3:ListAllMyBuckets
Effect: Allow
Resource: "*"
- Action:
- kms:EnableKey
- kms:GetPublicKey
- kms:Decrypt
- kms:UntagResource
- kms:PutKeyPolicy
- kms:GenerateDataKeyWithoutPlaintext
- kms:Verify
- kms:ListResourceTags
- kms:CancelKeyDeletion
- kms:GenerateDataKeyPair
- kms:TagResource
- kms:Encrypt
- kms:GetKeyRotationStatus
- kms:ScheduleKeyDeletion
- kms:ReEncryptTo
- kms:DescribeKey
- kms:Sign
- kms:CreateGrant
- kms:EnableKeyRotation
- kms:ListKeyPolicies
- kms:UpdateKeyDescription
- kms:GetKeyPolicy
- kms:GenerateDataKeyPairWithoutPlaintext
- kms:DisableKey
- kms:ReEncryptFrom
- kms:DisableKeyRotation
- kms:RetireGrant
- kms:ListGrants
- kms:UpdateAlias
- kms:RevokeGrant
- kms:GenerateDataKey
- kms:CreateAlias
- kms:DeleteAlias
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:kms:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :alias/*
- Fn::Join:
- ""
- - "arn:aws:kms:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :key/*
- Action:
- kms:ListKeys
- kms:GenerateRandom
- kms:ListAliases
- kms:CreateKey
Effect: Allow
Resource: "*"
- Action:
- dynamodb:Scan
- dynamodb:Query
- dynamodb:DescribeStream
- dynamodb:UpdateGlobalTable
- dynamodb:UpdateGlobalTableSettings
- dynamodb:DescribeGlobalTableSettings
- dynamodb:GetShardIterator
- dynamodb:DescribeGlobalTable
- dynamodb:RestoreTableFromBackup
- dynamodb:CreateGlobalTable
- dynamodb:DescribeBackup
- dynamodb:DeleteBackup
- dynamodb:GetRecords
Effect: Allow
Resource:
- Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*/stream/*
- Fn::Join:
- ""
- - "arn:aws:dynamodb::"
- Ref: AWS::AccountId
- :global-table/*
- Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*/index/*
- Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*/backup/*
- Action:
- dynamodb:DeleteItem
- dynamodb:RestoreTableToPointInTime
- dynamodb:ListTagsOfResource
- dynamodb:CreateTableReplica
- dynamodb:UpdateGlobalTable
- dynamodb:CreateBackup
- dynamodb:DeleteTable
- dynamodb:UpdateTableReplicaAutoScaling
- dynamodb:UpdateContinuousBackups
- dynamodb:TagResource
- dynamodb:DescribeTable
- dynamodb:GetItem
- dynamodb:DescribeContinuousBackups
- dynamodb:CreateGlobalTable
- dynamodb:BatchGetItem
- dynamodb:UpdateTimeToLive
- dynamodb:BatchWriteItem
- dynamodb:ConditionCheckItem
- dynamodb:UntagResource
- dynamodb:PutItem
- dynamodb:Scan
- dynamodb:Query
- dynamodb:UpdateItem
- dynamodb:DescribeTimeToLive
- dynamodb:CreateTable
- dynamodb:UpdateGlobalTableSettings
- dynamodb:RestoreTableFromBackup
- dynamodb:ExportTableToPointInTime
- dynamodb:UpdateTable
- dynamodb:DescribeTableReplicaAutoScaling
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:aws:dynamodb:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- :table/*
- Action:
- dynamodb:ListGlobalTables
- dynamodb:ListTables
- dynamodb:DescribeReservedCapacity
- dynamodb:ListBackups
- dynamodb:DescribeLimits
- dynamodb:ListStreams
Effect: Allow
Resource: "*"
Version: "2012-10-17"
Description: ""
ManagedPolicyName: storage-policy
Path: /
Roles:
- Ref: developerrole79A28402
Metadata:
aws:cdk:path: InfrastructureStack/storage-policy/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Modules: aws-cdk=1.73.0,@aws-cdk/aws-iam=1.73.0,@aws-cdk/cloud-assembly-schema=1.73.0,@aws-cdk/core=1.73.0,@aws-cdk/cx-api=1.73.0,@aws-cdk/region-info=1.73.0,jsii-runtime=node.js/v14.14.0
Metadata:
aws:cdk:path: InfrastructureStack/CDKMetadata/Default
Condition: CDKMetadataAvailable
Conditions:
CDKMetadataAvailable:
Fn::Or:
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- ap-east-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-2
- Fn::Equals:
- Ref: AWS::Region
- ap-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-2
- Fn::Equals:
- Ref: AWS::Region
- ca-central-1
- Fn::Equals:
- Ref: AWS::Region
- cn-north-1
- Fn::Equals:
- Ref: AWS::Region
- cn-northwest-1
- Fn::Equals:
- Ref: AWS::Region
- eu-central-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- eu-north-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-2
- Fn::Equals:
- Ref: AWS::Region
- eu-west-3
- Fn::Equals:
- Ref: AWS::Region
- me-south-1
- Fn::Equals:
- Ref: AWS::Region
- sa-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-2
- Fn::Equals:
- Ref: AWS::Region
- us-west-1
- Fn::Equals:
- Ref: AWS::Region
- us-west-2
❤4
Still got an error:
Application name: demo
✘ get application demo: get application demo: AccessDeniedException: User: arn:aws:iam::xxx:user/[email protected] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxx:parameter/copilot/applications/demo
mobiledatabooks
on 12 Mar 2021
Was this page helpful?
0 / 5 - 0 ratings
Related issues
iamhopaul123
·
3Comments
shrasool
·
4Comments
efe-selcuk
·
3Comments
mikelhamer
·
3Comments
aidansteele
·
3Comments
Most helpful comment
Ended up with this for our minimal permissions. For our usecase we added full DynamoDB, S3 and KMS but that can easily be removed. Currently we don't have a requirement for Route53 domain management.