search

compose-x / ecs_composex

Manage, Configure and Deploy your services and AWS services and applications from your docker-compose definitions
https://docs.compose-x.io
Mozilla Public License 2.0
164 stars 17 forks source link

[FR] attach a policy with wild-cards to ecs task #575

Closed krishin-js closed 2 years ago

krishin-js commented 2 years ago

Is your feature request related to a problem? Please describe. I would like to add suitable wild-cards to resources in a policy and attach the policy to an ECS service. This would help me to avoid hitting the max limit of policy length. An example of the issue was seen when we had a single service requiring access to multiple (15+) dynamodb tables?

Describe the solution you'd like x-iam policy attached to an ecs-service

JohnPreston commented 2 years ago

@krishin-js thanks for reporting the issue. Presently there is no way of calculating the length of the IAM inline policies for the resources, especially for new ones, given their name depends on what CFN defines (for new resources).

v0.18+ will have a single inline policy per resource type and group Resource with multiple resources when the access policy is a match to help reduce further the length of the policy.

The only alternative I can think of would be to split inline policies for new resources, with ARN length undefined, and have managed policies created for lookup resources, as it is then possible to measure the length of the policy (to a very close estimate).

The alternative would be change compose-x code to not require Access to be set on resources, and only ReturnValues (which is coming in v0.18+). That'd allow to expose the environment variables to the services and set a policy else where, i.e. in the services.x-iam section.

JohnPreston commented 2 years ago

Fixed in #574 You can now set 

Services:
  service-01:
    ReturnValues: {}

Without Access and manage the IAM policy in x-iam for these resources.