Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serverlessデプロイ用のIAMユーザーを作成 #25

Merged
merged 2 commits into from
Apr 29, 2021
Merged

Serverlessデプロイ用のIAMユーザーを作成 #25

merged 2 commits into from
Apr 29, 2021
+147 −0

Conversation

keitakn
Copy link
Member

@keitakn keitakn commented Apr 23, 2021
edited
Loading

issueURL

#14

Doneの定義

  • Serverlessデプロイ用のIAMユーザーが作成されている事

変更点概要

providers/aws/environments/prod/14-iam/ を追加し serverless deploy で利用する為のIAMユーザーを作成。

IAMポリシーは こちらの記事 にある通り、admin権限を持ったIAMユーザーで実際に serverless deploy を実行した履歴を元に作成。

ただし、いくつかの権限に関しては手動で追加している。(対象箇所のインラインコメントを参照)

動作確認は以下の2つで行った。

レビュアーに重点的にチェックして欲しい点

多分これでも、無駄な権限はあるけど、AdministratorAccess をアタッチするよりはマシだと思う🐱

ポリシーの内容見て問題ないか確認してもらえると:pray:

今後必要な権限が増えたら serverless-deploy-policy.json に追加していく感じで良いと思う!

補足情報

複数のリポジトリで利用するので以下の名前で organizations secret として追加済。

  • LGTM_CAT_SERVERLESS_DEPLOY_AWS_ACCESS_KEY_ID
  • LGTM_CAT_SERVERLESS_DEPLOY_AWS_SECRET_ACCESS_KEY

@keitakn keitakn self-assigned this Apr 23, 2021
keitakn
keitakn commented Apr 25, 2021
View reviewed changes
modules/aws/iam/files/policy/serverless-deploy-policy.json
Comment on lines +16 to +18
"cognito-identity:*",
"cognito-sync:*",
"cognito-idp:*"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHubログインの時にCognitoUserPoolのカスタムLambdaが必要になるから追加🐱

keitakn
keitakn commented Apr 25, 2021
View reviewed changes
modules/aws/iam/files/policy/serverless-deploy-policy.json
},
{
"Effect": "Allow",
"Action": "apigateway:*",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GitHubログイン実行時にUserPoolのトークン発行APIを使う可能性があるので追加🐱
(そもそもServerlessで実装するかも分からないので、いらないかも)

keitakn
keitakn commented Apr 25, 2021
View reviewed changes
modules/aws/iam/files/policy/serverless-deploy-policy.json
},
{
"Effect": "Allow",
"Action": "cloudfront:*",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apigateway* を付けるとセットでこれも付けないと駄目だったので追加🐱

何故なのか理由はよく分からない・・・

多分APIGatewayの裏側ではCloudFrontが使われているからそのせい??

@keitakn keitakn requested a review from kobayashi-m42 April 25, 2021 03:27
@keitakn keitakn marked this pull request as ready for review April 25, 2021 03:27
kobayashi-m42
kobayashi-m42 approved these changes Apr 29, 2021
View reviewed changes
Copy link
Member

@kobayashi-m42 kobayashi-m42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTMeow

@keitakn keitakn merged commit 7958ecd into main Apr 29, 2021
@keitakn keitakn deleted the feature/issue14/add-iam-user branch April 29, 2021 07:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kobayashi-m42 kobayashi-m42 kobayashi-m42 approved these changes

Assignees

@keitakn keitakn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@keitakn @kobayashi-m42