moellr
commented
3 days ago Yes, the file templates/principal_policy.tmpl in this project is used as initial starting value when deploying the project.
This file is use by the underlying DCE project to define the policy that is deployed into the pool accounts to be assumed by end users.
I am not a part of the DCE project, but if I read their code correctly, each time an account is leased, the policy template is read from the file s3://<your_account_id>-dce-artifacts-dce/fixtures/policies/principal_policy.tmpl on S3. I recommend testing if changing that file in an already deployed environment will be automatically applied when the next lease is created - in this case you could use it to limit down the principal permissions in your existing project.
I can see that the logged-in users(for the event) will have almost full access to most of the services. And there is no option for giving the role name for the principal role.
In our case, we want to use a custom policy for that role, so based on the workshop we can assign the permission to the respective services.
Unfortumatly, we have deployed the stack and its running for 3 months. I guess
templates/principal_policy.tmplis the file that has this policy, unfortunately its a running stack.