Role Permissions
The AWS IAM role's trust policy defines which GitHub Organizations, Teams and Users can assume the role via the sts:ExternalId policy variable. Changing permissions is a two step process. After modifying the trust policy in IAM or changing the max session duration, sync the permissions with Speedrun. Read about how to create roles if you haven't already before delving into specifying role permissions.
The speedrun-account-and-role-linking role is used for linking an AWS account to Speedrun. To register or delete a link, your GitHub username must be an allowed ExternalId.
Use the register/account api. This is done the first time only, use sync below when the account is registered.
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/register/~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~
Note
To invoke this api your GitHub username must match one of the ExternalId's listed in the trust policy for the speedrun-account-and-role-linking role.
Use the sync/role api:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/sync/role/~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~?role=speedrun-account-and-role-linking
Note
To invoke this api your GitHub username must match one of the ExternalId's listed in the trust policy for the speedrun-account-and-role-linking role. For other roles you must match one of the Users, Teams or Organizations listed in the trust policy for the speedrun-account-and-role-linking role.
Use the delete/role api. When the link on the speedrun-account-and-role-linking role is deleted, no roles can be assumed with Speedrun.
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/delete/role/~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~?role=speedrun-account-and-role-linking
Note
To invoke this api your GitHub username must match one of the ExternalId's listed in the trust policy for the speedrun-account-and-role-linking role. For other roles you must match one of the Users, Teams or Organizations listed in the trust policy for the speedrun-account-and-role-linking role.
Speedrun roles must be named with the prefix speedrun- By default, any username, organization or team listed in the allowed ExternalId's of the Account linking role can assume the Speedrun role (Even without syncing). To change who can assume the role, set the allowed ExternalId's in the role's trust policy and sync it.
To see the usernames/groups/organizations you have access to use the user/permissions api:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/user/permissions
Use the GitHub username of the user
Note
To use organizations or teams, you need to add the Speedrun Prod App to your Organization. If you need to refresh your current permissions because you just added access, use the logout endpoint
Use @slug-for-the-organization. The slug is the value in the url for the organization. For example, if the url is: https://github.com/No-Backspace-Crew, the slug is No-Backspace-Crew and you would use @No-Backspace-Crew to give that Organization access.
Use @slug-for-the-organization/slug-for-team. This value can be obtained from the sidebar on a team page. An example is circled in purple in this screenshot:
Use @ny. to allow anyone with a GitHub account to access your role. This is how the roles on the demo page are setup. Use extreme caution when doing this and make sure your roles are read-only and are aggressively scoped down to least-privilege access.
Use the sync/role api:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/sync/role/~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~?role=~~~role=Role {"default":"speedrun-"}~~~
Note
To invoke this api your GitHub username must match one of the ExternalId's listed in the trust policy for the speedrun-account-and-role-linking role. For other roles you must match one of the Users, Teams or Organizations listed as an ExternalId in the trust policy for the speedrun-account-and-role-linking role.
Use the delete/role api, this will revert permissions to assume the role to those on the account, it will not prevent assuming the role:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/delete/role/~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~?role=~~~role=Role {"default":"speedrun-"}~~~
Note
To invoke this api your GitHub username must match one of the ExternalId's listed in the trust policy for the speedrun-account-and-role-linking role. For other roles you must match one of the Users, Teams or Organizations listed as an ExternalId in the trust policy for the speedrun-account-and-role-linking role.
The following Condition allows the username perpil, the Organization No Backspace Crew and the team Speedrun Collaborator.
"Condition": {
"StringEquals": {"sts:ExternalId": ["perpil","@No-Backspace-Crew","@No-Backspace-Crew/speedrun-collaborator"]}
}
Note
Specifying a team that is in an allowed organization like the above example is redundant, you would only need to specify the team if you didn't already specify the organization.