Excess SSM permissions?

[HenryNguyen5]

https://github.com/philips-labs/terraform-aws-github-runner/blob/develop/modules/runners/policies-runner.tf#L23

Is this policy needed for the runners to function? It seems like it would allow the runner to have arbitrary access to SSM values.
https://github.com/philips-labs/terraform-aws-github-runner/blob/develop/modules/runners/policies-runner.tf#L28
It looks like this one policy should be enough for the runner to access its own secret values.

[npalm]

The policies is to have the option to access the runner instance for debugging purpose via SSM. But I agree it should not be there by default. So good catch. I think there should be a flag to enable / disable the SSM console web access, with a default set to disabled. Any opinion?

[HenryNguyen5]

I think that would be great, then users who want to keep it disabled but need to debug via SSM can do it on a case-by-base basis too!

[HenryNguyen5]

@npalm does the debugging support only need session manager? Seems like we could restrict it to only the following: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html

[gertjanmaas]

#143 has been merged. Closing this issue.