By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Pipeline aws service role

0

Hi team,

I've set up a pipeline using CodePipeline, and this pipeline automatically generated a new service role called AWSCodePipelineServiceRole-region-myPipeline on my behalf.

but this service role created by the pipeline contains too much permission :

"elasticbeanstalk:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "cloudwatch:*",
                "s3:*",
                "sns:*",
                "cloudformation:*",
                "rds:*",
                "sqs:*",
                "ecs:*"
              "opsworks:,
.......
......

I'm wondering if it's normal for the pipeline service role to have that excessive number of permissions?

Topics
Developer ToolsContainersDevOpsMicroservices
Tags
AWS CodePipelineAWS CodeDeployAmazon Elastic Container ServiceDevOpsMicroservices
Language
English
JessDL
asked 8 months ago359 views
1 Answer
0

Hi,

Yes, this is the expected behavior and important point to note is this would only be used by codepipeline service as it's codepipeline service role. However you can create your own codepipeline service role following least privilege model and use it while creating pipeline but make sure that it has all the required permissions to deploy/provision resources.

Referece:

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
  • Didier_Durand EXPERT
    8 months ago

    Yes, you can reduce to least privilege as suggested but it is dependent on what the stages of your pipeline do: you'll have to grant privileges for each of the AWS service that you use in this pipeline, either directly or indirectly. So, start with no privilege and cycle until the last "Authorization Denied" disappear. You can also use CloudTrail to track the various service calls done by your Pipeline: you'll be more efficient.

  • secondabhi_aws EXPERT
    8 months ago

    Do you have any additional questions?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content