Creating a Build User
It’s become very easy to setup github actions to do you building. At some point you probably want the build system to also publish releases into your AWS
account. Now, the shortcut to do this is to simply have some admin role and create an access key for it that you supply to Github. That’s not very nice from a security perspective though. Following the principle of least needed access, you should rather create a user that has the minimum required permissions instead. Now, how do you do that?
Well, listing all of the AWS
permissions in a policy document can be demanding as there are likely permissions you don’t understand you need. Instead it is nice to use managed policies from AWS. Below follows a Cloudformation
user that is allowed to push to ECR
repositories.
Code of the Day
AWSTemplateFormatVersion: '2010-09-09'
Description: >
Contains deploy roles for AWS IAM
Resources:
DeployRole:
Type: AWS::IAM::User
Properties:
UserName: CI-ECR-Push
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser