Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK in Secure Environments #63

Closed
7 tasks done
rix0rrr opened this issue Jan 21, 2020 · 4 comments
Closed
7 tasks done

CDK in Secure Environments #63

rix0rrr opened this issue Jan 21, 2020 · 4 comments
Labels
management/tracking status/done Implementation complete

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 21, 2020
edited by mrgrain
Loading

PR Champion
# @rix0rrr

Description

CDK should support an effective workflow for environments where engineers are not allowed to create IAM permissions.

Progress

  • Tracking Issue Created
  • RFC PR Created
  • Core Team Member Assigned
  • Initial Approval / Final Comment Period
  • Ready For Implementation
    • implementation issue 1
  • Resolved
@eladb eladb changed the title CDK in locked-down environments CDK in Secure Environments Apr 14, 2020
@pgollucci
Copy link

tracking

@britzp
Copy link

britzp commented Feb 4, 2022
edited
Loading

I am not sure if this is the correct location to leave this feedback, but this is very much our teams top priority to resolve before we can start using cdk meaningfully. We have iam roles set up by our cloud it team and then we are supposed to use them instead of the way cdk generates roles with least privileges. This is fine and we can hard code that role into every construct even if its annoying, but the problem is all the derivative resources that are generated like helper lambda functions or any other resource that is create that requires a role. Those we don't even have a chance to set the custom role. We are left trying to monkeypatch the construct tree by matching parameter types and name and with some of the objects being created having nested constructs this gets messy and kind of like wackamole.

My dream implementation would be to have the ability to define a default iam role in the context json which would be used in lieu of the autogenerated least permissions role. At the very least some kind of hook to more elegantly intercept and replace derivative IAM roles which are generated.

Any timeline for some kind of solution here?

@skinny85
Copy link
Contributor

skinny85 commented Feb 5, 2022

@britzp I can only say that we are thinking of this use case very hard, so expect a lot of activity in this area soon 🙂.

While I have you, I have a bunch of follow-up questions about this 🙂.

How does this work, exactly? How do the Role(s) created by your Cloud Team look like? How do they know what permissions they need? How do they know what are the names of the resources in your application? Does the Role have just a bunch of "*" permissions? What Roles would like to pass to the generated helper resources, like the Functions you mentioned, that get created by the CDK? Does the Cloud Team somehow know these exist, and takes them into consideration when creating the Roles for you to use?

I'd love to hear from you on the details of how that looks in practice 🙂.

Thanks,
Adam

@markusl
Copy link
Contributor

markusl commented Feb 9, 2023

It seems the work has been implemented and documentation published at https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide

@mrgrain mrgrain added status/done Implementation complete and removed status/proposed Newly proposed RFC labels Oct 27, 2023
@mrgrain mrgrain closed this as completed Oct 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
management/tracking status/done Implementation complete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pgollucci @mrgrain @skinny85 @rix0rrr @markusl @britzp