-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathiam.sh
executable file
·130 lines (115 loc) · 4.02 KB
/
iam.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
##!/bin/bash
#
# Create a trust policy for ECS task and task execution roles
#
cat <<EOF > TrustPolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
#
# Create a permission policy for the Task Execution Role
# This allows ECS to retrieve parameters from SSM Parameter Store defined in the Task Definitions
#
cat <<EOF > TaskExecutionPermissionPolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "*"
}
]
}
EOF
#
# Create a permission policy for the Task role associated with the ADOT task
# This allows the ADOT Collector to send metrics to a workspace in AMP, access SSM Parameter Store and read service registries in Cloud Map
#
cat <<EOF > AdotTaskPermissionPolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aps:RemoteWrite",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"servicediscovery:*"
],
"Resource": "*"
}
]
}
EOF
XRAY_DAEMON_POLICY_ARN=arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
CLOUDWATCH_LOGS_POLICY_ARN=arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
ECS_TASK_EXECUTION_POLICY_ARN=arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
ECS_TASK_EXECUTION_ROLE="ECS-Task-Execution-Role"
ECS_TASK_EXECUTION_ROLE_ARN=$(aws iam create-role \
--role-name $ECS_TASK_EXECUTION_ROLE \
--assume-role-policy-document file://TrustPolicy.json \
--query "Role.Arn" --output text)
ECS_SSM_TASK_EXECUTION_POLICY="ECSSSMTaskExecutionPolicy"
ECS_SSM_TASK_EXECUTION_POLICY_ARN=$(aws iam create-policy --policy-name $ECS_SSM_TASK_EXECUTION_POLICY \
--policy-document file://TaskExecutionPermissionPolicy.json \
--query 'Policy.Arn' --output text)
aws iam attach-role-policy --role-name $ECS_TASK_EXECUTION_ROLE --policy-arn $CLOUDWATCH_LOGS_POLICY_ARN
aws iam attach-role-policy --role-name $ECS_TASK_EXECUTION_ROLE --policy-arn $ECS_TASK_EXECUTION_POLICY_ARN
aws iam attach-role-policy --role-name $ECS_TASK_EXECUTION_ROLE --policy-arn $ECS_SSM_TASK_EXECUTION_POLICY_ARN
ECS_GENERIC_TASK_ROLE="ECS-Generic-Task-Role"
ECS_GENERIC_TASK_ROLE_ARN=$(aws iam create-role \
--role-name $ECS_GENERIC_TASK_ROLE \
--assume-role-policy-document file://TrustPolicy.json \
--query "Role.Arn" --output text)
aws iam attach-role-policy --role-name $ECS_GENERIC_TASK_ROLE --policy-arn $CLOUDWATCH_LOGS_POLICY_ARN
ECS_ADOT_TASK_ROLE="ECS-ADOT-Task-Role"
ECS_ADOT_TASK_ROLE_ARN=$(aws iam create-role \
--role-name $ECS_ADOT_TASK_ROLE \
--assume-role-policy-document file://TrustPolicy.json \
--query "Role.Arn" --output text)
ECS_ADOT_TASK_POLICY="ECSAdotTaskPolicy"
ECS_ADOT_TASK_POLICY_ARN=$(aws iam create-policy --policy-name $ECS_ADOT_TASK_POLICY \
--policy-document file://AdotTaskPermissionPolicy.json \
--query 'Policy.Arn' --output text)
aws iam attach-role-policy --role-name $ECS_ADOT_TASK_ROLE --policy-arn $XRAY_DAEMON_POLICY_ARN
aws iam attach-role-policy --role-name $ECS_ADOT_TASK_ROLE --policy-arn $CLOUDWATCH_LOGS_POLICY_ARN
aws iam attach-role-policy --role-name $ECS_ADOT_TASK_ROLE --policy-arn $ECS_ADOT_TASK_POLICY_ARN
export ECS_GENERIC_TASK_ROLE
export ECS_TASK_EXECUTION_ROLE
export ECS_ADOT_TASK_ROLE
export XRAY_DAEMON_POLICY_ARN
export CLOUDWATCH_LOGS_POLICY_ARN
export ECS_TASK_EXECUTION_POLICY_ARN
export ECS_SSM_TASK_EXECUTION_POLICY_ARN
export ECS_ADOT_TASK_POLICY_ARN