From e1226cee55a0872ef5c269feb126603b0e1654f2 Mon Sep 17 00:00:00 2001
From: Scott Hiemstra <shiemstra@smithmicro.com>
Date: Thu, 25 Aug 2022 15:40:34 +0000
Subject: [PATCH 1/4] added role documentation

---
 README.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 45cbab9..a7edae3 100644
--- a/README.md
+++ b/README.md
@@ -106,4 +106,22 @@ ACCOUNT_ID=<your account>
 
 echo -n $ECR_PASSWORD | docker login -u AWS --password-stdin https://$ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
 
-```
\ No newline at end of file
+```
+## Using AWS Assumed Role instead of normal IAM credentials
+You can use the `aws sts assume-role` to utilize AWS assigned roles.  This allows for using centralized AWS account management and doesn't rely on AWS IAM accounts.
+
+If your assigned cross account role is `arn:aws:iam::0123456789:role/AdminCrossAccount`, you can run the rollowing commands:
+```
+AWS_DATA=$(aws sts assume-role --role-arn arn:aws:iam::0123456789:role/AdminCrossAccount  --role-session-name=ecs-deployer | jq '.Credentials')
+export AWS_ACCESS_KEY_ID=$(echo $AWS_DATA| jq -r '.AccessKeyId')
+export AWS_SECRET_ACCESS_KEY=$(echo $AWS_DATA| jq -r '.SecretAccessKey')
+export AWS_SESSION_TOKEN=$(echo $AWS_DATA| jq -r '.SessionToken')
+```
+You can then use the following sample docker commands.
+```
+docker run \
+    --env AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION \
+    --env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
+    --env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
+    --env AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
+    smithmicro/ecs:latest create-cluster
\ No newline at end of file

From ba45d997f8cc053610e59e24acd19c626b47ec46 Mon Sep 17 00:00:00 2001
From: Scott Hiemstra <shiemstra@smithmicro.com>
Date: Thu, 25 Aug 2022 15:43:01 +0000
Subject: [PATCH 2/4] Added an unset and jq

---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a7edae3..1bed1b3 100644
--- a/README.md
+++ b/README.md
@@ -108,7 +108,7 @@ echo -n $ECR_PASSWORD | docker login -u AWS --password-stdin https://$ACCOUNT_ID
 
 ```
 ## Using AWS Assumed Role instead of normal IAM credentials
-You can use the `aws sts assume-role` to utilize AWS assigned roles.  This allows for using centralized AWS account management and doesn't rely on AWS IAM accounts.
+You can use the `aws sts assume-role` along with `jq` to utilize AWS assigned roles.  This allows for using centralized AWS account management and doesn't rely on AWS IAM accounts.
 
 If your assigned cross account role is `arn:aws:iam::0123456789:role/AdminCrossAccount`, you can run the rollowing commands:
 ```
@@ -124,4 +124,6 @@ docker run \
     --env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
     --env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
     --env AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
-    smithmicro/ecs:latest create-cluster
\ No newline at end of file
+    smithmicro/ecs:latest create-cluster
+unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+```
\ No newline at end of file

From 53169fe15fc08cd563ea6cd99bd4ce4ed6e85ea5 Mon Sep 17 00:00:00 2001
From: Scott Hiemstra <shiemstra@smithmicro.com>
Date: Thu, 25 Aug 2022 15:47:49 +0000
Subject: [PATCH 3/4] Added doc for AWS cross acount roles documentation

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 1bed1b3..7df1373 100644
--- a/README.md
+++ b/README.md
@@ -110,6 +110,9 @@ echo -n $ECR_PASSWORD | docker login -u AWS --password-stdin https://$ACCOUNT_ID
 ## Using AWS Assumed Role instead of normal IAM credentials
 You can use the `aws sts assume-role` along with `jq` to utilize AWS assigned roles.  This allows for using centralized AWS account management and doesn't rely on AWS IAM accounts.
 
+Adding Cross Account Roles:
+https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
+
 If your assigned cross account role is `arn:aws:iam::0123456789:role/AdminCrossAccount`, you can run the rollowing commands:
 ```
 AWS_DATA=$(aws sts assume-role --role-arn arn:aws:iam::0123456789:role/AdminCrossAccount  --role-session-name=ecs-deployer | jq '.Credentials')

From 3a3466066b446e7603b522dd44cdd6d053ee31d7 Mon Sep 17 00:00:00 2001
From: fdesing <fydesing@gmail.com>
Date: Fri, 28 Oct 2022 12:25:34 -0400
Subject: [PATCH 4/4] Update ecs-roles-cf.json

After working with internal team, found this additional permission was needed to handle KMS key backed secrets.  Allowing this in addition to @scott-hiemstra's 'Assumed' role changes gives us universal coverage.
---
 ecs-roles-cf.json | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ecs-roles-cf.json b/ecs-roles-cf.json
index e3ba6de..4e0b374 100644
--- a/ecs-roles-cf.json
+++ b/ecs-roles-cf.json
@@ -16,6 +16,13 @@
                             ],
                             "Resource": [
                                 "arn:aws:ssm:*:*:parameter/*"
+                                {
+                                    "Effect": "Allow",
+                                    "Action": [
+                                        "kms:Decrypt"
+                                    ],
+                                    "Resource": "arn:aws:kms:*:*:key/*"
+                                }
                             ]
                         }
                     ]