Skip to content

Support for AWS service-linked roles #49

New issue
New issue
Open
Open
Support for AWS service-linked roles#49
@elyscape

Description

@elyscape
elyscape
opened on Sep 28, 2018

Roles with a prefix beginning with /aws-service-role/ and a name beginning with AWSServiceRoleFor have special handling by AWS and must be created as service-linked roles. Currently, it tries to define them as regular roles, leading to failure:

myhost:iamy-policies elyscape$ cat REDACTED/iam/role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS.yaml
AssumeRolePolicyDocument:
  Statement:
  - Action: sts:AssumeRole
    Effect: Allow
    Principal:
      Service: ecs.amazonaws.com
  Version: 2012-10-17
Description: Allows ECS to create and manage AWS resources on your behalf.
Policies:
- arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy
myhost:iamy-policies elyscape$ iamy push
Commands to push changes to AWS:

      aws iam create-role --role-name AWSServiceRoleForECS --path /aws-service-role/ecs.amazonaws.com/ --description 'Allows ECS to create and manage AWS resources on your behalf.' --assume-role-policy-document '{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      }
    }
  ],
  "Version": "2012-10-17"
}'
      aws iam attach-role-policy --role-name AWSServiceRoleForECS --policy-arn arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy

Run 2 aws commands (0 destructive)? (y/N) y

> aws iam create-role --role-name AWSServiceRoleForECS --path /aws-service-role/ecs.amazonaws.com/ --description 'Allows ECS to create and manage AWS resources on your behalf.' --assume-role-policy-document '{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      }
    }
  ],
  "Version": "2012-10-17"
}'

An error occurred (InvalidInput) when calling the CreateRole operation: Path prefix '/aws-service-role/' can only be used for AWS Service linked Roles
exit status 255

The role definition was generated by running:

aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com --description 'Allows ECS to create and manage AWS resources on your behalf.'

and then running iamy pull.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions