Skip to content

IAM

Jump to bottom
Casey Lee edited this page Sep 20, 2018 · 5 revisions

Identity and Access Management (IAM)

By default, mu will manage the IAM roles it needs to manage all resources in your account. However, this assumes that whoever is mu has administrative access to the AWS account. If you'd like to manage the IAM roles outside of mu, then you just need to provide the ARNs of the roles that you have created so that mu can use them.

First, tell mu that it doesn't need to manage roles by either:

  • CLI flag: mu -d ...
  • mu.yml file:

disableIAM: true

Then, you'll need to create and pass the following roles to mu:

mu.yml Location Name Description Default Role
roles cloudFormation Role passed to CloudFormation for environment, service, and database stacks that are created common-iam.yml
environments[].roles instance IAM role assumed by the ECS/EKS container instances. Not used if the environment provider is ec2 env-iam.yml
environments[].roles eksService IAM role assumed by the EKS. Not used if the environment provider ecs or ec2 env-iam.yml
service.roles ec2Instance IAM role assumed by EC2 instance for your service. Only used if the environment provider is ec2 service-iam.yml
service.roles codeDeploy Role passed to CodeDeploy service to deploy your application. Only used if the environment provider is ec2 service-iam.yml
service.roles ecsService Role passed to ECS Service to manage your application in ECS. Only used if the environment provider is ecs service-iam.yml
service.roles ecsTask IAM role assumed by the ECS task that represents your application. Only used if the environment provider is ecs service-iam.yml
pipeline.roles pipeline Role passed to CodePipeline. pipeline-iam.yml
pipeline.roles build Role passed to CodeBuild for the Build stage of the pipeline. pipeline-iam.yml
pipeline.acceptance.roles codeBuild Role passed to CodeBuild for the Acceptance stage of the pipeline. pipeline-iam.yml
pipeline.acceptance.roles mu IAM role assumed by mu before deploying the environment/service/database. Useful for configuring cross-account deployments. pipeline-iam.yml
pipeline.production.roles codeBuild Role passed to CodeBuild for the Acceptance stage of the pipeline. pipeline-iam.yml
pipeline.production.roles mu IAM role assumed by mu before deploying the environment/service/database. Useful for configuring cross-account deployments. pipeline-iam.yml
Clone this wiki locally