EnvironmentManagerRole: Metadata: 'aws:copilot:description': 'An IAM Role {{- if .PermissionsBoundary}} with permissions boundary {{.PermissionsBoundary}} {{- end}} to describe resources in your environment' DeletionPolicy: Retain Type: AWS::IAM::Role DependsOn: CloudformationExecutionRole Properties: RoleName: !Sub ${AWS::StackName}-EnvManagerRole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub ${ToolsAccountPrincipalARN} Action: sts:AssumeRole {{- if .PermissionsBoundary}} PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{.PermissionsBoundary}}' {{- end}} Path: / Policies: - PolicyName: root PolicyDocument: Version: '2012-10-17' Statement: {{- if .HasImportedCerts}} - Sid: ImportedCertificates Effect: Allow Action: [ acm:DescribeCertificate ] Resource: {{- range $arn := .PublicHTTPConfig.ImportedCertARNs}} - "{{$arn}}" {{- end}} {{- range $arn := .PrivateHTTPConfig.ImportedCertARNs}} - "{{$arn}}" {{- end}} {{- if and .CDNConfig .CDNConfig.ImportedCertificate}} - "{{.CDNConfig.ImportedCertificate}}" {{- end}} {{- end}} - Sid: CloudwatchLogs Effect: Allow Action: [ "logs:GetLogRecord", "logs:GetQueryResults", "logs:StartQuery", "logs:GetLogEvents", "logs:DescribeLogStreams", "logs:StopQuery", "logs:TestMetricFilter", "logs:FilterLogEvents", "logs:GetLogGroupFields", "logs:GetLogDelivery" ] Resource: "*" - Sid: Cloudwatch Effect: Allow Action: [ "cloudwatch:DescribeAlarms" ] Resource: "*" - Sid: ECS Effect: Allow Action: [ "ecs:ListAttributes", "ecs:ListTasks", "ecs:DescribeServices", "ecs:DescribeTaskSets", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "ecs:DescribeClusters", "ecs:UpdateService", "ecs:PutAttributes", "ecs:StartTelemetrySession", "ecs:StartTask", "ecs:StopTask", "ecs:ListServices", "ecs:ListTaskDefinitionFamilies", "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", "ecs:ListClusters", "ecs:RunTask" ] Resource: "*" - Sid: ExecuteCommand Effect: Allow Action: [ "ecs:ExecuteCommand" ] Resource: "*" Condition: StringEquals: 'aws:ResourceTag/copilot-application': !Sub '${AppName}' 'aws:ResourceTag/copilot-environment': !Sub '${EnvironmentName}' - Sid: StartStateMachine Effect: Allow Action: - "states:StartExecution" - "states:DescribeStateMachine" Resource: - !Sub "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${AppName}-${EnvironmentName}-*" - Sid: CloudFormation Effect: Allow Action: [ "cloudformation:CancelUpdateStack", "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:Describe*", "cloudformation:DetectStackDrift", "cloudformation:DetectStackResourceDrift", "cloudformation:ExecuteChangeSet", "cloudformation:GetTemplate", "cloudformation:GetTemplateSummary", "cloudformation:UpdateStack", "cloudformation:UpdateTerminationProtection" ] Resource: "*" - Sid: GetAndPassCopilotRoles Effect: Allow Action: [ "iam:GetRole", "iam:PassRole" ] Resource: "*" Condition: StringEquals: 'iam:ResourceTag/copilot-application': !Sub '${AppName}' 'iam:ResourceTag/copilot-environment': !Sub '${EnvironmentName}' - Sid: ECR Effect: Allow Action: [ "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:ListTagsForResource", "ecr:PutImage", "ecr:UploadLayerPart", "ecr:GetAuthorizationToken" ] Resource: "*" - Sid: ResourceGroups Effect: Allow Action: [ "resource-groups:GetGroup", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "resource-groups:SearchResources" ] Resource: "*" - Sid: SSM Effect: Allow Action: [ "ssm:DeleteParameter", "ssm:DeleteParameters", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ] Resource: "*" - Sid: SSMSecret Effect: Allow Action: [ "ssm:PutParameter", "ssm:AddTagsToResource" ] Resource: - !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/copilot/${AppName}/${EnvironmentName}/secrets/*' - Sid: ELBv2 Effect: Allow Action: [ "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeRules" ] Resource: "*" - Sid: BuiltArtifactAccess Effect: Allow Action: [ "s3:ListBucketByTags", "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:GetInventoryConfiguration", "s3:GetObjectVersionTagging", "s3:ListBucketVersions", "s3:GetBucketLogging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:GetObjectVersionTorrent", "s3:GetObjectAcl", "s3:GetEncryptionConfiguration", "s3:GetBucketRequestPayment", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:HeadBucket", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:ListBucketMultipartUploads", "s3:GetBucketWebsite", "s3:ListJobs", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetBucketNotification", "s3:GetReplicationConfiguration", "s3:ListMultipartUploadParts", "s3:GetObject", "s3:GetObjectTorrent", "s3:GetAccountPublicAccessBlock", "s3:ListAllMyBuckets", "s3:DescribeJob", "s3:GetBucketCORS", "s3:GetAnalyticsConfiguration", "s3:GetObjectVersionForReplication", "s3:GetBucketLocation", "s3:GetObjectVersion", "kms:Decrypt" ] Resource: "*" - Sid: PutObjectsToArtifactBucket Effect: Allow Action: - s3:PutObject - s3:PutObjectAcl Resource: - {{.ArtifactBucketARN}} - {{.ArtifactBucketARN}}/* - Sid: EncryptObjectsInArtifactBucket Effect: Allow Action: - kms:GenerateDataKey Resource: {{.ArtifactBucketKeyARN}} - Sid: EC2 Effect: Allow Action: [ "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables" ] Resource: "*" - Sid: AppRunner Effect: Allow Action: [ "apprunner:DescribeService", "apprunner:ListOperations", "apprunner:ListServices", "apprunner:PauseService", "apprunner:ResumeService", "apprunner:StartDeployment", "apprunner:DescribeObservabilityConfiguration", "apprunner:DescribeVpcIngressConnection" ] Resource: "*" - Sid: Tags Effect: Allow Action: [ "tag:GetResources" ] Resource: "*" - Sid: ApplicationAutoscaling Effect: Allow Action: [ "application-autoscaling:DescribeScalingPolicies" ] Resource: "*" - Sid: DeleteRoles Effect: Allow Action: [ "iam:DeleteRole", "iam:ListRolePolicies", "iam:DeleteRolePolicy" ] Resource: - !GetAtt CloudformationExecutionRole.Arn - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AWS::StackName}-EnvManagerRole" - Sid: DeleteEnvStack Effect: Allow Action: - 'cloudformation:DescribeStacks' - 'cloudformation:DeleteStack' Resource: - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*'