[aws-codebuild] Add support to grant SSM permissions to project
See original GitHub issueWith CodeBuild having support for SSM sessions, we should incorporate a property that allows these permissions to be included in the IAM role (in the same way as the permissions for build reports are done using the grantReportGroupPermissions
property.
Use Case
Using SSM to troubleshoot a build environment is a super useful new feature, but you need to add IAM permissions to the role of the build project to enable it to work. This can be done manually at the moment, but a cleaner property to enable it can let developers troubleshoot environments easier without having to remember the specific permissions to add.
Proposed Solution
Add a property grantSSMPermissions
to the Project construct, and have it add the below IAM policy to the project:
buildProject.addToRolePolicy(new iam.PolicyStatement({
actions: [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
effect: iam.Effect.ALLOW,
resources: [ "*" ]
}));
I’m not fussed about the default status of the property (I’m inclinded to think on by default as it’s relatively harmless, but it is still adding a permission so it might not be ideal to make the assumption - given the grantReportGroupPermissions is default though this could be done the same way)
- 👋 I may be able to implement this feature request (after re:Invent, I’ve got a lot on!)
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:10 (4 by maintainers)
Top GitHub Comments
I don’t hate it. One thing we could do if we really wanted to get rid of the
enabled
property, which kind of sucks, is turn this into a method onProject
:This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.