Creating a Build User

It’s become very easy to setup github actions to do you building. At some point you probably want the build system to also publish releases into your AWS account. Now, the shortcut to do this is to simply have some admin role and create an access key for it that you supply to Github. That’s not very nice from a security perspective though. Following the principle of least needed access, you should rather create a user that has the minimum required permissions instead. Now, how do you do that?

Well, listing all of the AWS permissions in a policy document can be demanding as there are likely permissions you don’t understand you need. Instead it is nice to use managed policies from AWS. Below follows a Cloudformation user that is allowed to push to ECR repositories.

Code of the Day

AWSTemplateFormatVersion: '2010-09-09'
Description: >
  Contains deploy roles for AWS IAM

Resources:
  DeployRole:
    Type: AWS::IAM::User
    Properties:
      UserName: CI-ECR-Push
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser