layla/aws-nakama-stack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

BUGFIX: Give ECS permission to grab private repo secret

Browse Source
This commit is contained in:
Layla
2020-07-31 21:05:06 -04:00
parent a57c16a69e
commit a9e6eb3387
1 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
cloudformation/nakama/task.yaml
View File

@ -46,9 +46,41 @@ Parameters:
Conditions: Conditions:
CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""] CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""]
NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""] NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""]
RepositoryCredentials: !Not [!Equals [!Ref RepositoryCredentialsSecret, ""]]
Resources: Resources:
EcsExecutionerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
EcsExecutionPolicy:
Condition: RepositoryCredentials
Type: AWS::IAM::Policy
Properties:
PolicyName: AllowGettingSecrets
Roles:
- !Ref EcsExecutionerRole
PolicyDocument:
Statement:
- Sid: ReadDockerSecret
Action:
- secretsmanager:Describe*
- secretsmanager:Get*
- secretsmanager:List*
Effect: Allow
Resource: !Ref RepositoryCredentialsSecret
AdminPortalPassword: AdminPortalPassword:
Type: AWS::SecretsManager::Secret Type: AWS::SecretsManager::Secret
Condition: CreateSecret Condition: CreateSecret
@ -68,6 +100,7 @@ Resources:
TaskDefinition: TaskDefinition:
Type: AWS::ECS::TaskDefinition Type: AWS::ECS::TaskDefinition
Properties: Properties:
ExecutionRoleArn: !Ref EcsExecutionerRole
ContainerDefinitions: ContainerDefinitions:
- !If - !If
- NoRepositoryCredentials - NoRepositoryCredentials