Skip to content

Commit

Permalink
scope down permissions for sqs and kinesis stream targets
Browse files Browse the repository at this point in the history
  • Loading branch information
gracelu0 committed Nov 15, 2024
1 parent bf103d5 commit 8b1e662
Show file tree
Hide file tree
Showing 27 changed files with 160 additions and 121 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched
}

protected addTargetActionToRole(role: IRole): void {
this.stream.grantWrite(role);
this.stream.grant(role, 'kinesis:PutRecord', 'kinesis:PutRecords');
this.stream.encryptionKey?.grant(role, 'kms:GenerateDataKey*');
}

protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge
}

protected addTargetActionToRole(role: IRole): void {
this.queue.grantSendMessages(role);
this.queue.grant(role, 'sqs:SendMessage');
this.queue.encryptionMasterKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey*');
}

protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig {
Expand Down
4 changes: 0 additions & 4 deletions packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,6 @@ export interface ScheduleTargetBaseProps {
* permissions to interact with the templated target. If you wish you may specify your own IAM role, then the templated targets
* will grant minimal required permissions.
*
* Universal target automatically create an IAM role if you do not specify your own IAM role.
* However, in comparison with templated targets, for universal targets you must grant the required
* IAM permissions yourself.
*
* @default - created by target
*/
readonly role?: iam.IRole;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,5 +44,3 @@ integrationTest.assertions.awsApiCall('Inspector', 'listAssessmentRuns', {
interval: cdk.Duration.seconds(30),
totalTimeout: cdk.Duration.minutes(10),
});

app.synth();
Original file line number Diff line number Diff line change
Expand Up @@ -69,5 +69,3 @@ if (objects instanceof AwsApiCall && objects.waiterProvider) {
Resource: ['*'],
});
}

app.synth();

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@
]
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"Schedule83A77FD1": {
"Type": "AWS::Scheduler::Schedule",
Expand Down Expand Up @@ -106,7 +106,6 @@
"Statement": [
{
"Action": [
"kinesis:ListShards",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ const partitionKey = 'key';
const stream = new Stream(stack, 'MyStream', {
streamName,
shardCount: 1,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});

new scheduler.Schedule(stack, 'Schedule', {
Expand Down Expand Up @@ -58,4 +59,3 @@ getRecords.assertAtPath(
totalTimeout: cdk.Duration.minutes(10),
});

app.synth();
Original file line number Diff line number Diff line change
Expand Up @@ -135,5 +135,3 @@ integrationTest.assertions.awsApiCall('Sagemaker', 'listPipelineExecutions', {
interval: cdk.Duration.seconds(30),
totalTimeout: cdk.Duration.minutes(10),
});

app.synth();

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -27,29 +27,23 @@
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:SendMessage"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ScheduleTargetQueueFA42B954",
"Arn"
]
}
},
{
"Action": "sqs:SendMessage",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"ScheduleDeadLetterQueue0D6B48D2",
"Arn"
]
}
"Resource": [
{
"Fn::GetAtt": [
"ScheduleDeadLetterQueue0D6B48D2",
"Arn"
]
},
{
"Fn::GetAtt": [
"ScheduleTargetQueueFA42B954",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,7 @@
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:SendMessage"
],
"Action": "sqs:SendMessage",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 8b1e662

Please sign in to comment.