En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Pipeline aws service role

0

Hi team,

I've set up a pipeline using CodePipeline, and this pipeline automatically generated a new service role called AWSCodePipelineServiceRole-region-myPipeline on my behalf.

but this service role created by the pipeline contains too much permission :

"elasticbeanstalk:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "cloudformation:*",
                "rds:*",
                "sqs:*",
                "ecs:*"
              "opsworks:,
.......
......

I'm wondering if it's normal for the pipeline service role to have that excessive number of permissions?

Sujets
Outils de développementConteneursDevOpsMicroservices
Balises
AWS CodePipelineAWS CodeDeployService de conteneur élastique AmazonDevOpsMicroservices
Langue
English
JessDL
demandé il y a 9 mois434 vues
1 réponse
0

Hi,

Yes, this is the expected behavior and important point to note is this would only be used by codepipeline service as it's codepipeline service role. However you can create your own codepipeline service role following least privilege model and use it while creating pipeline but make sure that it has all the required permissions to deploy/provision resources.

Referece:

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
répondu il y a 9 mois
profile pictureAWS
EXPERT
Didier_Durand
vérifié il y a 9 mois
  • Didier_Durand EXPERT
    il y a 9 mois

    Yes, you can reduce to least privilege as suggested but it is dependent on what the stages of your pipeline do: you'll have to grant privileges for each of the AWS service that you use in this pipeline, either directly or indirectly. So, start with no privilege and cycle until the last "Authorization Denied" disappear. You can also use CloudTrail to track the various service calls done by your Pipeline: you'll be more efficient.

  • secondabhi_aws EXPERT
    il y a 9 mois

    Do you have any additional questions?

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents