🛂 Grant App roles trust permissions to be assumed by the app repo

[michaeljcollinsuk]

User Story

As an app admin
I want to allow my github runner access to assume my app role
So that I can make use of app permissions in github runner actions

Value / Purpose

Users have asked us to create custom roles that can be assumed by github runners. By allowing the app repo to assume the role that we already create for the app, we wont need to manage additional roles for runners

Useful Contacts

@julialawrence @michaeljcollinsuk

User Types

No response

Hypothesis

If we... [do a thing]
Then... [this will happen]

Proposal

When creating an IAM role for an app, setup the trust policy so that it can assumed by the app repo by default. App roles are already created via the Control Panel, when a user registers their app. So this existing implementation will need to be updated to add the extra permissions statement to the trust policy. We store the repo url when an app is registered, so we can use this in the trust policy definition.

For existing apps, we will need to decide if we retrospectively apply the same changes, or only update for apps that have requested it.

Additional Information

See discussion about this in Slack https://mojdt.slack.com/archives/C04M8224WCV/p1712686094130389.
There may be related support/feature requests but I cannot find them at this time.

Definition of Done

• Define the required trust policy to allow github runners to assume the app role
• Update the code in Control Panel to create the trust policy statement when registering the app
• (Optional) allow users to choose if they want this to be created. Or define it by default for apps
• Changes to deployed and tested by the AP team
• Comms to let users know about the change

[github-actions]

This issue is being marked as stale because it has been open for 60 days with no activity. Remove stale label or comment to keep the issue open.

[github-actions]

This issue is being closed because it has been open for a further 7 days with no activity. If this is still a valid issue, please reopen it, Thank you!

[github-actions]

This issue is being marked as stale because it has been open for 60 days with no activity. Remove stale label or comment to keep the issue open.

[github-actions]

This issue is being closed because it has been open for a further 7 days with no activity. If this is still a valid issue, please reopen it, Thank you!