Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(pipelines): artifact bucket permissions missing for in-account deployments #15348

Merged
merged 3 commits into from
Jul 1, 2021

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Jun 29, 2021

A recent change to the default deploy-role policies required that the
required permissions statements are added to the artifacts bucket
instead.

This happened to be working for stacks which had NO account env property
set, but not for stacks that DID have an account property set which
was the same as the pipeline's account property.

Ultimately this was caused by an account comparison deep in the bowels of the
Grants system, which happened to work out because in cases of mismatched
accounts it would think there was a cross-account access and it was trying to
add permissions to both principal and resource. But in this case, it's much more
accurate to say that we can NEVER add permissions to the deploy-role, and
instead always want the permissions added to the bucket (rather than dropping
them).

Fixes #15307.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

…ployments

A recent change to the default `deploy-role` policies required that the
required permissions statements are added to the artifacts bucket
instead.

This happened to be working for stacks which had NO `account` env property
set, but not for stacks that DID have an `account` property set which
was the same as the pipeline's account property.

Fixes #15307.
@rix0rrr rix0rrr requested a review from skinny85 June 29, 2021 14:05
@rix0rrr rix0rrr self-assigned this Jun 29, 2021
@gitpod-io
Copy link

gitpod-io bot commented Jun 29, 2021

@rix0rrr rix0rrr changed the title fix(pipelines): artifact bucket permissions missing for in-account de… fix(pipelines): artifact bucket permissions missing for in-account deployments Jun 29, 2021
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jun 29, 2021
@ericzbeard ericzbeard added this to the [GA] CDK Pipelines milestone Jun 29, 2021
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rix0rrr I wonder: shouldn't we simply always return statementAdded: false in addToPrincipalPolicy() for immutable Roles? What's the consequence of changing this behavior now?

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Jun 30, 2021

@rix0rrr I wonder: shouldn't we simply always return statementAdded: false in addToPrincipalPolicy() for immutable Roles? What's the consequence of changing this behavior now?

It would add the permissions to the resource always, which may or may not be intended. Bit dangerous to change.

@skinny85 skinny85 added the pr/do-not-merge This PR should not be merged at this time. label Jun 30, 2021
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My opinion of this change is that I would switch to return statementAdded: false always for immutable Roles. I think this actually makes sense, because the statements are not added to an immutable Role. So I would consider the current behavior a bug.

I really don't like the addition of the addGrantsToResources property. I understand that it's the only way to do this in a fully, 100% backwards-compatible way, but I think it's a confusing and weird property, and makes the IAM library more complicated than it should be.

However, since you're the owner of both of these libraries, the ultimate decision is yours to make. I don't have any comments on the actual code (assuming you disagree with me that the current behavior of returning statementAdded: true for immutable Roles is a bug), so I'm approving the PR.

I trust you to make the decision you think is best 🙂.

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Jul 1, 2021

I think it still makes sense to give this control to users, but I agree with you that in an ideal world the defaults would have been reversed. I seem to remember there was a use case where we needed the current behavior, and so that kinda just stayed around...

Fortunately, by adding this flag we now have a clear mechanism of how to do that: a feature flag that controls the default of this property.

And I don't think we can change this default retroactively, especially not since it pertains to IAM.

@rix0rrr rix0rrr removed the pr/do-not-merge This PR should not be merged at this time. label Jul 1, 2021
@mergify
Copy link
Contributor

mergify bot commented Jul 1, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 2a5e288 into master Jul 1, 2021
@mergify mergify bot deleted the huijbers/pipelines-bucket-perms branch July 1, 2021 08:05
@mergify
Copy link
Contributor

mergify bot commented Jul 1, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 8322f2a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

hollanddd pushed a commit to hollanddd/aws-cdk that referenced this pull request Aug 26, 2021
…ployments (aws#15348)

A recent change to the default `deploy-role` policies required that the
required permissions statements are added to the artifacts bucket
instead.

This happened to be working for stacks which had NO `account` env property
set, but not for stacks that DID have an `account` property set which
was the same as the pipeline's account property.

Ultimately this was caused by an account comparison deep in the bowels of the
Grants system, which happened to work out because in cases of mismatched
accounts it would think there was a cross-account access and it was trying to
add permissions to both principal and resource. But in this case, it's much more
accurate to say that we can NEVER add permissions to the `deploy-role`, and
instead always want the permissions added to the bucket (rather than dropping
them).

Fixes aws#15307.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(cli): CDK Pipeline in account bootstrapped with 1.110.0 (bootstrap version 7): S3 Access Denied
4 participants