The original version of these rules demonstrated a really loose * wildcard ECR permission.
Discussion
This changes splits the related ECR permissions into two statements:
Grants the permission to authenticate with the platform. This must be granted at the account level rather than a specific repository level.
Grants permission to perform the based read/write operations required to efficiently batch update an image. These permissions are only granted for the jwt-pizza-service repository in the individuals' account.
You may prefer to have a bad-practice wildcard in the instructions for the purposes of demonstration, but this PR introduces tested, hardened IAM rights for the github-ci role. It doesn't go crazy deep, but it does restrict the permissions to just the things that are needed.
If you don't want to merge this in, then I'll just count this as an exercise in curiosity and take the blessings for figuring out how to do it :)
Overview
The original version of these rules demonstrated a really loose
*wildcard ECR permission.Discussion
This changes splits the related ECR permissions into two statements:
jwt-pizza-servicerepository in the individuals' account.You may prefer to have a bad-practice wildcard in the instructions for the purposes of demonstration, but this PR introduces tested, hardened IAM rights for the
github-cirole. It doesn't go crazy deep, but it does restrict the permissions to just the things that are needed.If you don't want to merge this in, then I'll just count this as an exercise in curiosity and take the blessings for figuring out how to do it :)