Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-codebuild] Add support to grant SSM permissions to project

See original GitHub issue

With CodeBuild having support for SSM sessions, we should incorporate a property that allows these permissions to be included in the IAM role (in the same way as the permissions for build reports are done using the grantReportGroupPermissions property.

Use Case

Using SSM to troubleshoot a build environment is a super useful new feature, but you need to add IAM permissions to the role of the build project to enable it to work. This can be done manually at the moment, but a cleaner property to enable it can let developers troubleshoot environments easier without having to remember the specific permissions to add.

Proposed Solution

Add a property grantSSMPermissions to the Project construct, and have it add the below IAM policy to the project:

    buildProject.addToRolePolicy(new iam.PolicyStatement({
      actions: [
        "ssmmessages:CreateControlChannel",
        "ssmmessages:CreateDataChannel",
        "ssmmessages:OpenControlChannel",
        "ssmmessages:OpenDataChannel"
      ],
      effect: iam.Effect.ALLOW,
      resources: [ "*" ]
    }));

I’m not fussed about the default status of the property (I’m inclinded to think on by default as it’s relatively harmless, but it is still adding a permission so it might not be ideal to make the assumption - given the grantReportGroupPermissions is default though this could be done the same way)

👋 I may be able to implement this feature request (after re:Invent, I’ve got a lot on!)
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:10 (4 by maintainers)

Top GitHub Comments

1reaction

skinny85commented, Oct 27, 2020

I don’t hate it. One thing we could do if we really wanted to get rid of the enabled property, which kind of sucks, is turn this into a method on Project:

const project = new Project(this, 'Project', {
    // other properties...
});
project.enableConnectingFromSessionManager(LoggingTarget.fromLogGroup(myLogGroup));
// loggingTarget is an optional argument to the enableConnectingFromSessionManager() method

0reactions

github-actions[bot]commented, Jun 17, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Top Results From Across the Web

Advanced setup - AWS CodeBuild

To add access permissions to CodeBuild for everything except build project administration, select the box named AWSCodeBuildDeveloperAccess, choose Policy ...

Using identity-based policies for AWS CodeBuild

This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities ...

Overview of managing access permissions to your AWS ...

Describes how account administrators can manage access to resources by attaching permissions policies to IAM identities.

aws-cdk/aws-codebuild module - AWS Documentation - Amazon

The project's role in the CDK will always be granted permissions to create and use report groups with names starting with the project's...

View a running build in Session Manager - AWS CodeBuild

In the Environment section, choose the Allow AWS CodeBuild to modify this service role so it can be used with this build project...