Skip to content

Custom Instance Roles #1660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JoeColeman95 merged 17 commits into from
Nov 18, 2025
Merged

Custom Instance Roles #1660

JoeColeman95 merged 17 commits into from
Nov 18, 2025

Conversation

@JoeColeman95
Copy link
Contributor

@JoeColeman95 JoeColeman95 commented Nov 14, 2025

Adds support for a custom instance role - this will allow users to define an IAM role ARN that will be used for the stack, allowing role usage across multiple stacks to reduce maintenance burden.

Used the following policy within my custom role to test:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ssm",
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeInstanceProperties",
                "ssm:ListAssociations",
                "ssm:PutInventory",
                "ssm:UpdateInstanceInformation",
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel",
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SsmParameterAccess",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/buildkite-*/buildkite/*"
            ]
        },
        {
            "Sid": "AutoScalingAccess",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:SetInstanceHealth",
                "autoscaling:TerminateInstanceInAutoScalingGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchMetrics",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*"
        },
        {
            "Sid": "StackResourceAccess",
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStackResource",
                "cloudformation:SignalResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Ec2TagsAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "S3SecretsAccess",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::*-managedsecretsbucket-*",
                "arn:aws:s3:::*-managedsecretsbucket-*/*"
            ]
        },
        {
            "Sid": "S3ArtifactsAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::*-artifacts",
                "arn:aws:s3:::*-artifacts/*"
            ]
        },
        {
            "Sid": "CloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:PutRetentionPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PipelineSigningKMSKeyAccess",
            "Effect": "Allow",
            "Action": [
                "kms:Verify",
                "kms:GetPublicKey",
                "kms:Sign"
            ],
            "Resource": "arn:aws:kms:*:*:key/*"
        },
        {
            "Sid": "DecryptAgentToken",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:*:*:key/*"
        },
        {
            "Sid": "ECRAccess",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings",
                "ecr:CreateRepository",
                "ecr:BatchImportUpstreamImage",
                "ecr:GetImageCopyStatus",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "*"
        }
    ]
}

@JoeColeman95
Replicating Terraform Custom instance IAM role
ac31b47
@JoeColeman95
Remove IAM policies depends on
ce717c7 
Allows us to then create a custom role, without creating policies
@JoeColeman95 JoeColeman95 requested a review from a team as a code owner November 14, 2025 15:38
petetomasik
petetomasik requested changes Nov 14, 2025
View reviewed changes
Copy link
Contributor

@petetomasik petetomasik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential issue with IAM role ARNs that use custom path prefixes.

@JoeColeman95
Copy link
Contributor Author

JoeColeman95 commented Nov 18, 2025

Thanks @petetomasik, just testing something on here before moving it on to another branch (as I can replicate here) – will merge this once I've reverted those changes

@JoeColeman95 JoeColeman95 merged commit 909a076 into main Nov 18, 2025
1 check passed
@JoeColeman95 JoeColeman95 deleted the SUP-5240/Custom-instance-roles branch November 18, 2025 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@omehegan omehegan omehegan left review comments

@petetomasik petetomasik petetomasik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JoeColeman95 @petetomasik @omehegan