You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I can see that the logged-in users(for the event) will have almost full access to most of the services. And there is no option for giving the role name for the principal role.
In our case, we want to use a custom policy for that role, so based on the workshop we can assign the permission to the respective services.
Unfortumatly, we have deployed the stack and its running for 3 months. I guess templates/principal_policy.tmpl is the file that has this policy, unfortunately its a running stack.
The text was updated successfully, but these errors were encountered:
Yes, the file templates/principal_policy.tmpl in this project is used as initial starting value when deploying the project.
This file is use by the underlying DCE project to define the policy that is deployed into the pool accounts to be assumed by end users.
I am not a part of the DCE project, but if I read their code correctly, each time an account is leased, the policy template is read from the file s3://<your_account_id>-dce-artifacts-dce/fixtures/policies/principal_policy.tmpl on S3. I recommend testing if changing that file in an already deployed environment will be automatically applied when the next lease is created - in this case you could use it to limit down the principal permissions in your existing project.
I can see that the logged-in users(for the event) will have almost full access to most of the services. And there is no option for giving the role name for the principal role.
In our case, we want to use a custom policy for that role, so based on the workshop we can assign the permission to the respective services.
Unfortumatly, we have deployed the stack and its running for 3 months. I guess
templates/principal_policy.tmpl
is the file that has this policy, unfortunately its a running stack.The text was updated successfully, but these errors were encountered: