-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-cdk): Add session tags when CDK assumes an IAM Role. #26157
Comments
We don't appear to support this, but this would be nice to have. Thanks for the request! |
This is a very important feature which is missing. Would love to have it available soon. |
Hi @j5nb4l and @ishug86 Thanks for the feature request! Could you both elaborate a bit further on your use case? We would like to understand the problem you are solving (trying to solve), how this feature would help with it, and how exactly you would be using the new feature. Specifically, it sounds to me like you want to be able to instruct the
@j5nb4l This sounds like a non-default CDK bootstrap setup. Can you tell us more about how you currently achieve this? What are makes managing per-account/per-region buckets less than ideal for you? |
Hi @mrgrain,
The S3 buckets used to host CloudFormation assets uses Attribute-based Access Controls to restrict the access granted to STS session based on session tags.
Yes, that's correct.
This is a great question, and the reason why I did not attempt to implement it. From my perspective, a CLI argument, like
That was in reference to how it is done for native CloudFormation (i.e., without CDK) where the AssumeRole sessions are created using the I hope I adequately answered your questions. Please let me know if you need any clarifications or further information. |
Thanks for the details. That all makes sense and will help us to prioritize the feature. It does sounds like you don't have this implemented yet with CDK, presumingly because you are blocked by the lack of session tags? I'm a bit worried that you are going to run into more issues with this approach and while session tags might be a useful thing on it's own, it would potentially not be very useful without further changes to Synthesizer, Bootstrapping or both. I expect the implementation to follow closely what we already do for
It probably makes the most/only sense to have this implemented on the Synthesizer level, since the CLI can be used with other Synthesizers as well that don't assume any roles. |
I can certainly understand what you mean; however, I think it would be very useful to have the ability to add session tags even if they were not defined in the synthesizer or when trying to deploy an app that was already synthesized (e.g.,
I think the way that externalId was implemented would work fine. The new property would just have to take an object with key value pairs for each session tag instead of a string, right? |
Yes, pretty much that. |
Required to implement [session tags](aws/aws-cdk#26157) and a prerequisite to aws/aws-cdk#31089.
Required to implement [session tags](aws/aws-cdk#26157) and a prerequisite to aws/aws-cdk#31089. ### Notes - Requires cdklabs/cloud-assembly-schema#33 to be merged first.
Describe the feature
Provide the ability to add session tags when assuming the CDK IAM Roles.
Use Case
Our team uses a central S3 bucket where all assets are uploaded for CloudFormation to use, as we have a lot of accounts and managing per-account/per-region buckets would be less than ideal. In order to prevent pipeline builds from accidentally overwriting assets uploaded by another, we use bucket policies to restrict the bucket prefix that any given session created by CI/CD server has access to. That way the CI/CD server must use the correct session tag to be granted access to prefix where the assets are uploaded. For example, here is what a simplified statement in the bucket policy looks like:
We would like to be able to follow this same access pattern when CDK uploads assets to the S3 bucket from our pipeline; however, there does not seem to be any way to configure session tags when using the DefaultStackSynthesizer.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.78.0 (build 8e95c37)
Environment details (OS name and version, etc.)
MacOS Ventura 13.4.1 (22F82)
The text was updated successfully, but these errors were encountered: