Add IAM policy for ECR and App Runner permissions fix

hk-dev13 · hk-dev13 · commit f1a3eed77324 · 2025-08-20T02:33:29.000+07:00
diff --git a/DEPLOYMENT_CHECKLIST.md b/DEPLOYMENT_CHECKLIST.md
@@ -1,5 +1,20 @@
 # Production Deployment Checklist for AWS App Runner
 
+## 🔐 URGENT: Credentials Security Update
+
+### Current Status (August 20, 2025):
+- ⚠️ **EXPOSED KEYS**: `AKIASE3CDFQSGGXR5YLB` dan `AKIASE3CDFQSGZA4NX6Z` 
+- 🚨 **ACTION REQUIRED**: Delete exposed keys immediately
+- ✅ **GitHub Actions**: Workflow ready, waiting for fresh credentials
+- ✅ **ECR Image**: Available at `147845229604.dkr.ecr.ap-southeast-2.amazonaws.com/permit-api:latest`
+
+### Immediate Action Plan:
+1. **AWS Console** → IAM → Delete exposed access keys
+2. **Create new access key** (3rd generation)
+3. **Update GitHub Secrets**: AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY
+4. **Verify workflow**: Check GitHub Actions success with new credentials
+5. **Deploy App Runner**: Use ECR image URI with fresh credentials
+
 ## 🚀 Pre-Deployment Checklist
 
 ### Code Preparation
diff --git a/iam-policy-apprunner-ecr.json b/iam-policy-apprunner-ecr.json
@@ -0,0 +1,54 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:DescribeRepositories",
+        "ecr:CreateRepository",
+        "ecr:PutImage",
+        "ecr:InitiateLayerUpload",
+        "ecr:UploadLayerPart",
+        "ecr:CompleteLayerUpload",
+        "ecr:DescribeImages",
+        "ecr:ListImages"
+      ],
+      "Resource": "arn:aws:ecr:ap-southeast-2:147845229604:repository/permit-api"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "apprunner:CreateService",
+        "apprunner:UpdateService",
+        "apprunner:DeleteService",
+        "apprunner:DescribeService",
+        "apprunner:ListServices",
+        "apprunner:StartDeployment",
+        "apprunner:ListOperations"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:AttachRolePolicy",
+        "iam:PassRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::147845229604:role/AppRunnerECRAccessRole*",
+        "arn:aws:iam::147845229604:role/service-role/AppRunnerECRAccessRole*"
+      ]
+    }
+  ]
+}
