Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add context parameter and PermissionBoundary aspect #22745

Closed
corymhall opened this issue Nov 2, 2022 · 2 comments · Fixed by #22913
Closed

Add context parameter and PermissionBoundary aspect #22745

corymhall opened this issue Nov 2, 2022 · 2 comments · Fixed by #22913
Assignees
@corymhall

Comments

@corymhall
Copy link
Contributor

Add a new context variable that the user can set with the permission boundary name. We can then use that value to apply the permission boundary (using Aspects).

cdk.json

{
  "context": {
    "@aws-cdk/core:permissionBoundaryName": "my-permission-boundary"
  }
}

Apply the permission boundary somewhere based on a context variable. This should take stages into account. For example, the user may need to apply different permissions boundaries based on the stage.

const pbName = stack.node.tryGetContext('@aws-cdk/core:permissionBoundaryName');
if (pbName) {
    iam.PermissionBoundary.of(stack).apply(
        iam.ManagedPolicy.fromManagedPolicyName(stack, 'PermissionBoundary', pbName);
    );
}
@corymhall corymhall assigned corymhall and unassigned Naumel Nov 10, 2022
@corymhall corymhall mentioned this issue Nov 14, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #22913 Nov 18, 2022
mergify bot pushed a commit that referenced this issue Nov 18, 2022
@corymhall
feat(iam): apply permissions boundary to a Stage (#22913)
ba4896a 
For the implementation, there are two components to "applying" the permissions boundary.

The first is "applying" the permissions boundary to a construct scope. For this I've used context since context has built in resolution up the tree. For example, you could theoretically do something like the below.

```ts
// apply at the app scope
const app = new App({
  context: {
    [PERMISSIONS_BOUNDARY_CONTEXT_KEY]: {
      name: 'app-level-pb',
    },
  },
});

// apply different value at this stage
const prodStage = new Stage(app, 'Stage', {
  permissionsBoundary: PermissionsBoundary.fromName('stage-pb'),
});

const stack = new Stack(prodStage, 'Stack', {
  permissionsBoundary: PermissionsBoundary.fromName('stack-level-pb'),
});
```

While the above is possible, the most likely scenario is that you would apply a permission boundary at the `App`, `Stage` or `Stack` level. Stages/Stacks correspond to AWS environments (account + region) and so they would most likely also map to bootstrap environments. Because of this I've added parameters a new `permissionsBoundary` property to both the `Stage` & `Stack` props to make it easier to configure.

The second aspect to "applying" the boundary is actually attaching the permissions boundary to each IAM Role & User that is created. For this I add an Aspect to every `Stack` that has the permissions boundary context. This aspect will attach the permissions boundary to the Role or User.

closes #22745


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@constantintaivan
Copy link

Hi @corymhall

I'm following the above setup but the deployment (cdk deploy) does not work.
I have installed on Windows the latest version for CDK and AWS CLI.
Bootstrapping was fixed and deployed successfully by using this resource: https://aws.amazon.com/blogs/mt/how-to-deploy-cdk-v2-to-an-account-that-requires-boundary-policies/

e.g.,
const boundary = iam.ManagedPolicy.fromManagedPolicyArn(this, 'Boundary', 'arn:aws:iam::xxx:policy/DenyServicesSecurityStuff-policy');
iam.PermissionsBoundary.of(this).apply(boundary)

Error:

MyTask/TaskRole (MyTaskTaskRole560858C4) Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::xxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xx-eu-central-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxx:role/SqsFargateServiceStack-MyTaskTaskRole560858C4-CUjtntvC38J4 with an explicit deny in a permissions boundary (Service: Iam, Status Code: 403, Request ID: 52393d51-805e-4bee-86d8-a49072c0f03e)"

Thanks
Constantin

@constantintaivan constantintaivan mentioned this issue Aug 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(iam): apply permissions boundary to a Stage
3 participants
@constantintaivan @corymhall @Naumel