Docs feedback: Identify minimal privilege IAM policy for autoscaling Runners in AWS
https://docs.gitlab.com/runner/configuration/runner_autoscale_aws/#aws-credentials
The section states to create a role with the AmazonEC2FullAccess and AmazonS3FullAccess policies attached. This is excessive privilege to grant, especially in the context of the gitlab-runner that cannot run from an instance role and requires hard coding credentials in config.toml.
Please create an IAM policy with the minimum privilege required, this should not fall to each individual admin as it can be a complex process and leaving this section as is exposes users to a high level of risk and goes against the concept of minimum required access.
Possible Workarounds
Cache S3 access to a specific bucket
Here is a working example policy for cache S3 access to a specific bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>"
],
"Effect": "Allow"
}
]
}
Edited by Brie Carranza