AgentGoldPaw
commented
2 years ago added god mode permissions to the role and still nothing
Closed AgentGoldPaw closed 2 years ago
AgentGoldPaw
commented
2 years ago added god mode permissions to the role and still nothing
dwardu89
commented
2 years ago Can you add more information to this please? Maybe I can try reproduce it myself. I've been using it for a fair amount of times in multiple projects and it works for me.
AgentGoldPaw
commented
2 years ago AWS permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:PutImageTagMutability",
"ecr:StartImageScan",
"ecr:DescribeImageReplicationStatus",
"ecr:ListTagsForResource",
"ecr:UploadLayerPart",
"ecr:BatchDeleteImage",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:CompleteLayerUpload",
"ecr:TagResource",
"ecr:DescribeRepositories",
"ecr:DeleteRepositoryPolicy",
"ecr:BatchCheckLayerAvailability",
"ecr:ReplicateImage",
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy",
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:CreateRepository",
"ecr:PutImageScanningConfiguration",
"ecr:GetDownloadUrlForLayer",
"ecr:DeleteLifecyclePolicy",
"ecr:PutImage",
"ecr:UntagResource",
"ecr:SetRepositoryPolicy",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:StartLifecyclePolicyPreview",
"ecr:InitiateLayerUpload",
"ecr:GetRepositoryPolicy"
],
"Resource": "arn:aws:ecr:us-west-2:xxxxxxxx:repository/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:DescribeMaintenanceWindowSchedule",
"ssm:SendAutomationSignal",
"ssm:DescribeInstancePatches",
"ssm:CreateActivation",
"ssm:CreateOpsItem",
"ssm:GetMaintenanceWindowExecutionTaskInvocation",
"ssm:DescribeAutomationExecutions",
"ssm:DeleteActivation",
"ssm:DescribeMaintenanceWindowExecutionTaskInvocations",
"ssm:DescribeAutomationStepExecutions",
"ssm:ListOpsMetadata",
"ssm:UpdateInstanceInformation",
"ssm:DescribeParameters",
"ssm:ListResourceDataSync",
"ssm:ListDocuments",
"ssm:DescribeMaintenanceWindowsForTarget",
"ssm:ListComplianceItems",
"ssm:GetConnectionStatus",
"ssm:GetMaintenanceWindowExecutionTask",
"ssm:GetMaintenanceWindowExecution",
"ecr:GetAuthorizationToken",
"ssm:ListResourceComplianceSummaries",
"ssm:ListOpsItemRelatedItems",
"ssm:DescribeOpsItems",
"ssm:DescribeMaintenanceWindows",
"ssm:CancelMaintenanceWindowExecution",
"ssm:DescribeAssociationExecutions",
"ssm:ListCommandInvocations",
"ssm:GetAutomationExecution",
"ssm:DescribePatchGroups",
"ssm:ListAssociationVersions",
"ssm:PutConfigurePackageResult",
"ssm:DescribePatchGroupState",
"ecr:PutRegistryPolicy",
"ssm:CreatePatchBaseline",
"ssm:GetManifest",
"ssm:DeleteInventory",
"ssm:DescribeMaintenanceWindowExecutionTasks",
"ssm:DescribeInstancePatchStates",
"ssm:DescribeInstancePatchStatesForPatchGroup",
"ssm:GetInventorySchema",
"ssm:CreateMaintenanceWindow",
"ssm:DescribeAssociationExecutionTargets",
"ssm:DescribeInstanceProperties",
"ssm:ListInventoryEntries",
"ecr:GetRegistryPolicy",
"ssm:ListOpsItemEvents",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:DescribeSessions",
"ecr:DescribeRegistry",
"ssm:DescribePatchBaselines",
"ssm:DescribeInventoryDeletions",
"ssm:DescribePatchProperties",
"ssm:GetInventory",
"ssm:DescribeActivations",
"ssm:StopAutomationExecution",
"ssm:GetCommandInvocation",
"ssm:CreateOpsMetadata",
"ssm:ListComplianceSummaries",
"ssm:PutInventory",
"ssm:DescribeInstanceInformation",
"ecr:DeleteRegistryPolicy",
"ssm:ListAssociations",
"ecr:PutReplicationConfiguration",
"ssm:DescribeAvailablePatches"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "*"
}
]
}GitHub action
on: [push]
jobs:
build:
strategy:
matrix:
os: [ubuntu-20.04]
runs-on: ${{ matrix.os }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_IMAGE_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_IMAGE_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Add image tag to Parameter Store
uses: dwardu89/aws-ssm-parameter-store@v1
with:
ssm-path: "/dev/mobile-api"
ssm-value: "test"
aws-region: us-west-2
ssm-value-type: Stringidk what else you would need, I dropped 90% of the action to see if it worked without it and no luck @dwardu89
dwardu89
commented
2 years ago have you tried running a put parameter command in the CLI with that access key id/secret key? because it looks fine to me.
AgentGoldPaw
commented
2 years ago let me try again.
AgentGoldPaw
commented
2 years ago it works with the CLI but not the action. Is there a way to dump the whole permission with all values? @dwardu89
dwardu89
commented
2 years ago you can try debug your action https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging
you might have found a bug but it might require you to fork this project and raise a PR so we can get it in.
AgentGoldPaw
commented
2 years ago will work through it a little later, trying to track down a bug in another branch of the project I am on. Will report back.
dwardu89
commented
2 years ago I've released an update due to package updates.
AgentGoldPaw
commented
2 years ago New to actions. So I just re run it right? It’ll pull the latest?
On Tue, Nov 30, 2021 at 2:45 PM, Edward Vella @.***> wrote:
I've released an update due to package updates.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
AgentGoldPaw
commented
2 years ago new errors.
ValidationException: 2 validation errors detected: Value null at 'name' failed to satisfy constraint: Member must not be null.; Value at 'value' failed to satisfy constraint: Member must not be null.@dwardu89 how do I test the action locally? I can find and fix issues, but I can't find anything about debugging.
AgentGoldPaw
commented
2 years ago v2.0.0 fixes it.
I have done everything according to docs, setup my IAM user to use ssm:PutParameter however it's still getting a permission denied error