Open BhuviTheDataGuy opened 3 days ago
Yes, the file templates/principal_policy.tmpl
in this project is used as initial starting value when deploying the project.
This file is use by the underlying DCE project to define the policy that is deployed into the pool accounts to be assumed by end users.
I am not a part of the DCE project, but if I read their code correctly, each time an account is leased, the policy template is read from the file s3://<your_account_id>-dce-artifacts-dce/fixtures/policies/principal_policy.tmpl
on S3. I recommend testing if changing that file in an already deployed environment will be automatically applied when the next lease is created - in this case you could use it to limit down the principal permissions in your existing project.
I can see that the logged-in users(for the event) will have almost full access to most of the services. And there is no option for giving the role name for the principal role.
In our case, we want to use a custom policy for that role, so based on the workshop we can assign the permission to the respective services.
Unfortumatly, we have deployed the stack and its running for 3 months. I guess
templates/principal_policy.tmpl
is the file that has this policy, unfortunately its a running stack.