Determine the minimum set of permissions necessary to push docker image via Travis to ECS

hackoregon / devops-17

deployment tools for Hack Oregon projects

4 stars 3 forks source link

Determine the minimum set of permissions necessary to push docker image via Travis to ECS #14

Closed MikeTheCanuck closed 7 years ago

MikeTheCanuck commented 7 years ago

We don't want to grant "FullAccess" rights to ECS for the AWS IAM identities assigned to the TravisCI repo that builds each project's Django API container.

pdxdiver commented 7 years ago

See the following policy document. Implemented for all "deployer users"

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "ecs:RegisterTaskDefinition",
                "ecs:DeregisterTaskDefinition",
                "ecs:UpdateService",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}