BUGFIX: Give ECS permission to grab private repo secret

2020-07-31 21:05:06 -04:00 · 2020-07-31 21:05:06 -04:00 · a9e6eb3387
commit a9e6eb3387
parent a57c16a69e
1 changed files with 33 additions and 0 deletions
--- a/cloudformation/nakama/task.yaml
+++ b/cloudformation/nakama/task.yaml
@ -46,9 +46,41 @@ Parameters:
 Conditions:
  CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""]
  NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""]
+  RepositoryCredentials: !Not [!Equals [!Ref RepositoryCredentialsSecret, ""]]

 Resources:

+  EcsExecutionerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - ecs-tasks.amazonaws.com
+          Action:
+          - sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
+  EcsExecutionPolicy:
+    Condition: RepositoryCredentials
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: AllowGettingSecrets
+      Roles:
+        - !Ref EcsExecutionerRole
+      PolicyDocument:
+        Statement:
+          - Sid: ReadDockerSecret
+            Action:
+              - secretsmanager:Describe*
+              - secretsmanager:Get*
+              - secretsmanager:List*
+            Effect: Allow
+            Resource: !Ref RepositoryCredentialsSecret
+
  AdminPortalPassword:
    Type: AWS::SecretsManager::Secret
    Condition: CreateSecret
@ -68,6 +100,7 @@ Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
+      ExecutionRoleArn: !Ref EcsExecutionerRole
      ContainerDefinitions:
      - !If
        - NoRepositoryCredentials