Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow making iam.IRole functionally "immutable" #2985

Closed
1 of 5 tasks
RomainMuller opened this issue Jun 21, 2019 · 1 comment · Fixed by #3716 or #5569
Closed
1 of 5 tasks

Allow making iam.IRole functionally "immutable" #2985

RomainMuller opened this issue Jun 21, 2019 · 1 comment · Fixed by #3716 or #5569
Assignees
@rix0rrr
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved. in-progress This issue is being actively worked on.

Comments

@RomainMuller
Copy link
Contributor

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior?
    If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

When passing an IRole around, permissions can be added to the role under certain conditions (namely, the role must either be owned by the current application, or reside in the same account than the stack granting the additional permissions).

  • What is the expected behavior (or behavior of feature suggested)?

In certain conditions, a user might want to prohibit new statements being added to a Role policy. The proposition is to offer an IRole wrapper that simply ignores attempts to add statements (either directly or through policies) to the role.

Additionally, as imported roles are a common use-case for this, it would be interesting to add an optional { ignoreNewStatements = false } parameter to the Role.from* methods.

  • What is the motivation / use case for changing the behavior or adding this feature?

In certain cases, roles are created by a dedicated organization, and CDK App developers are not allowed to directly modify those. In such cases, attempts to add new statements to imported roles will likely cause in a deployment failure due to insufficient permissions.

In other cases, a user might want to ensure that permissions they hand-crafted for a given role are honored without modification.

This feature means that all places where an optional IRole is accepted, the granting behavior for both the "default role" and "user-provided role" cases can be identical, where the construct grants all necessary permissions that are derived from other parameters (example: a SageMaker training job always needs to be able to read/decrypt it's inputs, write/encrypt it's outputs, etc...).
@RomainMuller RomainMuller added feature-request A feature should be added or improved. @aws-cdk/aws-iam Related to AWS Identity and Access Management labels Jun 21, 2019
@rix0rrr rix0rrr mentioned this issue Aug 30, 2019
Merged
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Sep 5, 2019
@skinny85
fix(iam): only attach policies to imported roles if the accounts match
792ff10 
We allow attaching policies to the imported role if the account passed in the ARN
matches the account of the stack the policy belongs to,
or if either one of those accounts was not specified (i.e., is env-agnostic),
or if the ARN used for importing was dynamic.

Fixes aws#2985
Fixes aws#3025
@mergify mergify bot closed this as completed in #3716 Sep 6, 2019
mergify bot pushed a commit that referenced this issue Sep 6, 2019
@skinny85 @mergify
fix(iam): only attach policies to imported roles if the accounts match (
87db7aa 
#3716)

We allow attaching policies to the imported role if the account passed in the ARN
matches the account of the stack the policy belongs to,
or if either one of those accounts was not specified (i.e., is env-agnostic),
or if the ARN used for importing was dynamic.

Fixes #2985
Fixes #3025
@skinny85
Copy link
Contributor

This was actually closed mistakenly. The change in #3716 only dealt with imported immutable Roles. We also should provide a wrapper for non-imported Roles.

@skinny85 skinny85 reopened this Sep 24, 2019
@skinny85 skinny85 mentioned this issue Sep 24, 2019
Closed
@skinny85 skinny85 mentioned this issue Oct 11, 2019
Closed
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 14, 2019
@skinny85
feat(iam): immutable IAM roles
a47c6e2 
This adds an IRole implementation that ignores all mutating operations.
To accommodate this new behavior, add a new method to IIdentity:
createAndAttachPolicy, which is meant to replace attachInlinePolicy,
which can leave Policy resources unattached, which is illegal in CloudFormation.

Fixes aws#2985
Fixes aws#4465
@skinny85 skinny85 mentioned this issue Oct 14, 2019
Closed
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Oct 15, 2019
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 18, 2019
@skinny85
feat(iam): immutable IAM roles
cfd8a27 
This adds an IRole implementation that ignores all mutating operations.
To accommodate this new behavior, add a new method to IIdentity:
createAndAttachPolicy, which is meant to replace attachInlinePolicy,
which can leave Policy resources unattached, which is illegal in CloudFormation.

Fixes aws#2985
Fixes aws#4465
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 21, 2019
@skinny85
feat(iam): immutable IAM roles
f40edeb 
This adds an IRole implementation that ignores all mutating operations.
To accommodate this new behavior, add a new method to IIdentity:
createAndAttachPolicy, which is meant to replace attachInlinePolicy,
which can leave Policy resources unattached, which is illegal in CloudFormation.

Fixes aws#2985
Fixes aws#4465
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Oct 23, 2019
@skinny85
feat(iam): immutable IAM roles
57562b3 
This adds an IRole implementation that ignores all mutating operations.
To accommodate this new behavior, add a new method to IIdentity:
createAndAttachPolicy, which is meant to replace attachInlinePolicy,
which can leave Policy resources unattached, which is illegal in CloudFormation.

Fixes aws#2985
Fixes aws#4465
@rix0rrr rix0rrr mentioned this issue Dec 27, 2019
Merged
rix0rrr added a commit that referenced this issue Jan 15, 2020
@rix0rrr
feat(iam): Role.withoutPolicyUpdates() (#5569)
ea4ca3e 
Add a new method to `Role` called `withoutPolicyUpdates()`, which returns a wrapper object that will drop all policy updates. This can be used in situations where you want to skip the default IAM permission adding behavior of CDK.

Needs only be used with roles that are created in the same CDK application; for imported roles, supplying `mutable=false` when calling `Role.fromRoleArn()` is sufficient.

Fixes #2985.
Fixes #4465.
Closes #4501.
@JoshMcCullough JoshMcCullough mentioned this issue Nov 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management feature-request A feature should be added or improved. in-progress This issue is being actively worked on.
Projects
None yet
Milestone
No milestone
4 participants
@RomainMuller @skinny85 @rix0rrr @SomayaB