Role Permissions
The AWS IAM role's trust policy defines which GitHub user, organizations and teams can assume the role. Changing permissions is a two step process. After modifying the trust policy in IAM, sync the permissions with Speedrun.
The speedrun-account-and-role-linking role is used for linking an AWS account to Speedrun. To register or delete a link, your GitHub username must be an allowed ExternalId.
Use the register/account api. This is done the first time only, use sync below when the account is registered.
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/register/account?account=~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~
Use the sync/role api:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/sync/role?account=~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~&role=speedrun-account-and-role-linking
Use the delete/role api. When the link on the speedrun-account-and-role-linking role is deleted, no roles can be assumed with Speedrun.
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/delete/role?account=~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~&role=speedrun-account-and-role-linking
Note Your GitHub username must match one of the ExternalId's listed in the trust policy for the
speedrun-account-and-role-linkingrole
Speedrun roles must be named with the prefix speedrun- By default, any username, organization or team listed in the allowed ExternalId's of the Account linking role can assume the Speedrun role (Even without syncing). To change who can assume the role, set the allowed ExternalId's in the role's trust policy and sync it.
Use the GitHub username of the user
Use @slug-for-the-organization. The slug is the value in the url for the organization. For example, if the url is: https://github.com/No-Backspace-Crew, the slug is No-Backspace-Crew and you would use @No-Backspace-Crew to give that Organization access.
Use @slug-for-the-organization/slug-for-team. This value can be obtained from the sidebar on a team page. An example is circled in purple in this screenshot:
Use the sync/role api:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/sync/role?account=~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~&role=~~~role=Role {"default":"speedrun-"}~~~
Use the delete/role api, this will revert permissions to assume the role to those on the account, it will not prevent assuming the role:
#link
https://speedrun-api.us-west-2.nobackspacecrew.com/v1/delete/role?account=~~~awsAccountId=AWS Account Id {"transform":"value.trim()"}~~~&role=~~~role=Role {"default":"speedrun-"}~~~
The following Condition allows the username perpil, the Organization No Backspace Crew and the team Speedrun Collaborator.
"Condition": {
"StringEquals": {"sts:ExternalId": ["perpil","@No-Backspace-Crew","@No-Backspace-Crew/speedrun-collaborator"]}
}
Note Specifying a team that is in a allowed organization is redundant, you would only specify the team if you didn't already specify the organization.