[Request]: Default ServiceRole with polp permissions

[zbintliff]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Would like a default service role to be used so we don't have to pass service role ARN when creating environments. The example in example repo uses admin role which isn't something many orgs will allow.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I'm trying to test out proton. All our "environments" are already created so I have an empty CFN stack with just output, the permissions needed to create the proton environment should be just "create stack". Would be nice to have one we can default to (similar to ECS Service Role)

Are you currently working around this issue? Passing an admin role

[clareliguori]

Hi @zbintliff, the environment service role is also used as the service role for provisioning the CloudFormation stacks of any service instances created within that environment. So, the service role must also have the permissions needed to create resources for those service instances. The environment service role permissions don't need be Admin: once you have your templates written, the role permissions can be scoped down to only the services that your environments and service instances will provision via the templates. See example here in the Proton documentation (look for "The following is an example of a scoped down Proton service role policy"), where the service role policy is scoped to only CFN and S3 permissions and would result in environments and service instances being able to only provision S3 buckets in their CFN stacks.

Given that, what permissions would you like to see in a default service role?

[zbintliff]

Hey @clareliguori . I opened a few tickets as I was fumbling through my own hello world example and before I had a better understanding of how proton works. The goal was just using the documentation and examples to build my own templates, specs, etc.

To your point, because the service role requires permissions to create anything in the CFN stacks it's hard to make a minimized role. And I think the same role is used for both environment provisioning and service creation complicating the problem even more. However, role creation in my organization is locked down and "slower" process so having a service role already created helps with POCs.

Would it make sense for a default service role to have permissions for the main use cases proton is intended for? That is CFN, LoadBalancers, ECS Services, API gateway, Lambda?

[clareliguori]

Would it make sense for a default service role to have permissions for the main use cases proton is intended for? That is CFN, LoadBalancers, ECS Services, API gateway, Lambda?

Based on some previous conversations with internal security teams, it's unlikely for us to get an IAM managed policy or a service-linked role policy approved with a set of broad provisioning permissions for other services like ECS and Lambda. Especially because provisioning those services usually requires IAM role creation as well (for the ECS/Lambda execution roles), so the permissions start to get really broad. AWS-managed policies like those are generally intended to be the bare minimum permissions needed for the service to function on your behalf, so in this case that would only include the permissions to manage CFN stacks and not the permissions needed to provision the resources you specified in your Proton templates.

[zbintliff]

That makes sense. This can be closed! Thank you.

[clareliguori]

Thanks for your feedback!