Open zmad5306 opened 1 year ago
Hello @zmad5306 !
Currently we are working on this feature Extending Copilot with CDK
(https://github.com/aws/copilot-cli/issues/4208) and yaml patches
(https://github.com/aws/copilot-cli/issues/4209).
With these features, It will a lot easier to override the existing Copilot resources in this case IAM Roles
with your own customized IAM roles.
We will update once the feature is released.
As a WorkAround here is an example of creating an IAM role TaskRole
for an ECS task until the CDK extensions is released.
TaskRole
for your service.{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:*",
"Resource": "*",
"Effect": "Deny"
},
{
"Condition": {
"StringEquals": {
"iam:ResourceTag/copilot-application": "<Application-Name>", <----- replace with application name
"iam:ResourceTag/copilot-environment": "<Environment-Name>" <---- replace with environment name
}
},
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::1111111111:role/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Update the manifest file of all the services taskdef_overrides
below. This will update the TaskRoleArn in the ECS TaskDefinition.
taskdef_overrides:
- path: "TaskRoleArn"
value: "<ARN of IAM Role>". <---- ARN of the customized IAM role.
Let me know if this works for you!
@KollaAdithya This worked for the TaskRole
can the Task Execution Role be overridden in the same way?
Yes, Task Execution Role can also be overridden in the same way.
Just update the manifest with taskdef_overrides
below
taskdef_overrides:
- path: "ExecutionRoleArn"
value: "<ARN of IAM Role>". <---- ARN of the customized TaskExecution IAM role.
@KollaAdithya The work around described doesn't fix the Quota issue and has other breaking issues with jobs:
StateMachineRole
and a StateMachine
permission, this permission references the build it roles in the iam:PassRole
permission instead of the custom roles passed in the Task Def Override and renders jobs inoperable. This seems like a very rough edge for any organization deploying to ECS using Copilot at any scale.
We have an app that currently has 53 jobs & services across 6 environments. Copilot creates 4+ roles per environment per job/service. We are running into role quota limits in the AWS account due to the number of roles that Copilot creates. Is there a way to create less roles? How should this be handled?