Pipeline aws service role

Question

Hi team,

I've set up a pipeline using CodePipeline, and this pipeline automatically generated a new service role called `AWSCodePipelineServiceRole-region-myPipeline` on my behalf.

but this service role created by the pipeline contains too much permission :

```
"elasticbeanstalk:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "cloudformation:*",
                "rds:*",
                "sqs:*",
                "ecs:*"
              "opsworks:,
.......
......
```

I'm wondering if it's normal for the pipeline service role to have that excessive number of permissions?

secondabhi_aws · Answer

Hi,

Yes, this is the expected behavior and important point to note is this would only be used by codepipeline service as it's codepipeline service role. However you can create your own codepipeline service role following least privilege model and use it while creating pipeline but make sure that it has all the required permissions to deploy/provision resources.

**Referece:**

- [Identity and access management for AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/security-iam.html#how-to-custom-role)

- [Create the CodePipeline service role](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-service-role.html)

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

Pipeline aws service role

相关内容