Copilot role EnvManagerRole exposes secrets beyond copilot secrets

[krdchang]

Copilot creates a role ${AWS::StackName}-EnvManagerRole which contains a policy named 'root' that has the following snippet,

          - Sid: SSM
            Effect: Allow
            Action: [
              "ssm:DeleteParameter",
              "ssm:DeleteParameters",
              "ssm:GetParameter",
              "ssm:GetParameters",
              "ssm:GetParametersByPath"
            ]
            Resource: "*"

This grants ECS tasks access to all secrets (and not just the copilot-specific secrets). Also, if I'm to grant developers access to exec into a container I have granted them access to assume this role (and therefore exposing further, more secrets to my users).
The template should specify only resources applicable to copilot application and environment.

This issue applies to the current CLI version 1.26.0 and below.

[KollaAdithya]

Hi @krdchang !
Probably this should be an enhancement for us to narrow down the permissions of the EnvManagerRole.
As a workaround could you edit the policy to have condition on tags

"Condition": {
                "StringEquals": {
                    "iam:ResourceTag/copilot-application": "<Application-Name>",  <----- replace with application name
                    "iam:ResourceTag/copilot-environment": "<Environment-Name>" <---- replace with environment name
                }
            },

This will restrict the developers to have access only to those secrets that have copilot-application and copilot-environment tags attached.

[krdchang]

Thanks @KollaAdithya !