Skip to content

Commit

Permalink
feat(bootstrap): widen lookup role permissions for future extension (#…
Browse files Browse the repository at this point in the history
…15423)

The lookup role permissions are currently scoped to support exactly
the context lookups supported by CDK right now.

This means that if we add more lookups in the future, we will have to
do a complicated dance that involves updating the bootstrap stack and
version checking.

Instead, increase the scope of the lookup role to be able to read
everything in the target account except for secrets (anything that's
encrypted by KMS cannot be read).

People that currently have built their own lookup extensions to CDK can
use this role to implement them.

**NOTE**: this updates the bootstrap stack, but nothing in the CDK framework
currently requires these changes. You can update at your leisure.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
rix0rrr authored Jul 14, 2021
1 parent c98e40e commit cafdd3c
Showing 1 changed file with 11 additions and 19 deletions.
30 changes: 11 additions & 19 deletions packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -281,29 +281,21 @@ Resources:
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-${Qualifier}-lookup-role-${AWS::AccountId}-${AWS::Region}
ManagedPolicyArns:
- Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
Policies:
- PolicyDocument:
Statement:
- Action:
- ec2:DescribeVpcs
- ec2:DescribeAvailabilityZones
- ec2:DescribeSubnets
- ec2:DescribeRouteTables
- ec2:DescribeVpnGateways
- ec2:DescribeImages
- ec2:DescribeVpcEndpointServices
- ec2:DescribeSecurityGroups
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTags
- elasticloadbalancing:DescribeListeners
- route53:ListHostedZonesByName
- route53:GetHostedZone
- ssm:GetParameter
- Sid: DontReadSecrets
Effect: Deny
Action:
- kms:Decrypt
Resource: "*"
Effect: Allow
Version: '2012-10-17'
PolicyName:
Fn::Sub: cdk-${Qualifier}-lookup-role-default-policy-${AWS::AccountId}-${AWS::Region}
PolicyName: LookupRolePolicy
Tags:
- Key: aws-cdk:bootstrap-role
Value: lookup
FilePublishingRoleDefaultPolicy:
Type: AWS::IAM::Policy
Properties:
Expand Down Expand Up @@ -498,7 +490,7 @@ Resources:
Type: String
Name:
Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
Value: '7'
Value: '8'
Outputs:
BucketName:
Description: The name of the S3 bucket owned by the CDK toolkit stack
Expand Down

1 comment on commit cafdd3c

@mrpackethead
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @rix0rrr . This is very useful.

Please sign in to comment.