-
-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit iam:CreateServiceLinkedRole permission to specific role #416
Comments
@gabegorelick is it possible to restrict this permission only for the |
Yes. I've verified the following works: Effect: Allow
Action:
- 'iam:CreateServiceLinkedRole'
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot' I can throw together a PR if you want. |
By all means! My IAM policy knowledge needs a refresh, this is awesome, thanks! |
Fixing this in the next version. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Github issue
Issue type
Build number
master
Summary
iam:CreateServiceLinkedRole
was added in #205 and is a fairly major permission to grant to AutoSpotting. In reality, I think it only needs to create theAWSServiceRoleForEC2Spot
service-linked role. Thus, its permissions could be limited to that specific resource.See https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html.
Steps to reproduce
Deploy
Expected results
AutoSpotting only has permission to create the service-linked role it needs.
Actual results
AutoSpotting has permission to create any service-linked role.
The text was updated successfully, but these errors were encountered: