cli: improve usability of --cloudformation-execution-policies #8571
Comments
zxkane
added
bug
|
Did you bootstrap and passed |
Yes. I did reran the bootstrap with new asset system via below command. I find the permission issue only happening when updating the existing stack Also the bootstrap runs without error if I specify a non-existing policy |
|
Your last 2 concerns are hard to work around. IAM should validate whether the referenced policy exists, but apparently it doesn't. Also, we have no way to know beforehand whether the given policy is going to give enough permissions, because we won't know what kind of permissions you need. In some other environments you may legitimately want to use a narrower policy than |
This is concerning to me, and goes against everything I thought I knew. Can you reproduce this? If you bootstrap using the old stack and then upgrade, using the |
|
I can reproduce it if bootstrapping with enabling new asset system without specifying the arn of execution role in first time. Then the env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap
⏳ Bootstrapping environment aws://034068960xxx/cn-north-1...
CDKToolkit: creating CloudFormation changeset...
0/11 | 10:11:52 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole
0/11 | 10:11:52 AM | CREATE_IN_PROGRESS | AWS::ECR::Repository | ContainerAssetsRepository
0/11 | 10:11:52 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole
0/11 | 10:11:52 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole
0/11 | 10:11:52 AM | CREATE_IN_PROGRESS | AWS::ECR::Repository | ContainerAssetsRepository Resource creation Initiated
0/11 | 10:11:52 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole Resource creation Initiated
0/11 | 10:11:53 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole Resource creation Initiated
1/11 | 10:11:53 AM | CREATE_COMPLETE | AWS::ECR::Repository | ContainerAssetsRepository
1/11 | 10:11:53 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole Resource creation Initiated
2/11 | 10:12:02 AM | CREATE_COMPLETE | AWS::IAM::Role | FilePublishingRole
3/11 | 10:12:02 AM | CREATE_COMPLETE | AWS::IAM::Role | CloudFormationExecutionRole
4/11 | 10:12:02 AM | CREATE_COMPLETE | AWS::IAM::Role | ImagePublishingRole
4/11 | 10:12:04 AM | CREATE_IN_PROGRESS | AWS::KMS::Key | FileAssetsBucketEncryptionKey
4/11 | 10:12:04 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | DeploymentActionRole
4/11 | 10:12:04 AM | CREATE_IN_PROGRESS | AWS::KMS::Key | FileAssetsBucketEncryptionKey Resource creation Initiated
4/11 | 10:12:04 AM | CREATE_IN_PROGRESS | AWS::IAM::Role | DeploymentActionRole Resource creation Initiated
4/11 | 10:12:04 AM | CREATE_IN_PROGRESS | AWS::IAM::Policy | ImagePublishingRoleDefaultPolicy
4/11 | 10:12:05 AM | CREATE_IN_PROGRESS | AWS::IAM::Policy | ImagePublishingRoleDefaultPolicy Resource creation Initiated
5/11 | 10:12:14 AM | CREATE_COMPLETE | AWS::IAM::Policy | ImagePublishingRoleDefaultPolicy
6/11 | 10:12:14 AM | CREATE_COMPLETE | AWS::IAM::Role | DeploymentActionRole
6/11 Currently in progress: FileAssetsBucketEncryptionKey
7/11 | 10:13:04 AM | CREATE_COMPLETE | AWS::KMS::Key | FileAssetsBucketEncryptionKey
7/11 | 10:13:09 AM | UPDATE_IN_PROGRESS | AWS::S3::Bucket | StagingBucket Requested update requires the creation of a new physical resource; hence creating one.
7/11 | 10:13:09 AM | UPDATE_IN_PROGRESS | AWS::S3::Bucket | StagingBucket Resource creation Initiated
8/11 | 10:13:31 AM | UPDATE_COMPLETE | AWS::S3::Bucket | StagingBucket
8/11 | 10:13:33 AM | CREATE_IN_PROGRESS | AWS::IAM::Policy | FilePublishingRoleDefaultPolicy
8/11 | 10:13:34 AM | CREATE_IN_PROGRESS | AWS::IAM::Policy | FilePublishingRoleDefaultPolicy Resource creation Initiated
8/11 | 10:13:35 AM | UPDATE_IN_PROGRESS | AWS::S3::BucketPolicy | StagingBucketPolicy Requested update requires the creation of a new physical resource; hence creating one.
8/11 | 10:13:36 AM | UPDATE_IN_PROGRESS | AWS::S3::BucketPolicy | StagingBucketPolicy Resource creation Initiated
9/11 | 10:13:36 AM | UPDATE_COMPLETE | AWS::S3::BucketPolicy | StagingBucketPolicy
10/11 | 10:13:42 AM | CREATE_COMPLETE | AWS::IAM::Policy | FilePublishingRoleDefaultPolicy
10/11 | 10:13:44 AM | UPDATE_COMPLETE_CLEA | AWS::CloudFormation::Stack | CDKToolkit
10/11 | 10:13:45 AM | DELETE_IN_PROGRESS | AWS::S3::BucketPolicy | StagingBucketPolicy
✅ Environment aws://034068960xxx/cn-north-1 bootstrapped.
(base) base ❯ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap \
--cloudformation-execution-policies arn:aws-cn:iam::aws:policy/AdministratorAccess
⏳ Bootstrapping environment aws://034068960xxx/cn-north-1...
✅ Environment aws://034068960xxx/cn-north-1 bootstrapped (no changes). |
zxkane
changed the title
How about checking the existence of given execution role in synthesis phase? It should be doable via IAM API. And how about using the managed |
|
I know, but this is a requirement from our security department. YOU need to be the person who opts in to giving a role potentially dangerous permissions. We cannot do that for you. |
|
Could this opt-in be in the form of an interactive confirmation? |
Our nested stack deployment optimizer only used to look at template differences in order to be able to skip deployments. This has been enhanced over time, but stack parameters were still not included in the evaluation. The new bootstrapping experience relies heavily on parameters to configure important aspects such as policies and trust. However, due to the stack deployment skipping, you would not be able to reconfigure trust or policies after the initial deployment. Now takes parameters into account as well. Relates to #8571, relates to #6582, fixes #6581.
That is something we'll pursue but due to organizational reasons it may be a couple of weeks before we can get an answer to that question. |
|
Ok, can you then make the cli argument mandatory to prevent users from creating exec roles without permissions? |
) Our nested stack deployment optimizer only used to look at template differences in order to be able to skip deployments. This has been enhanced over time, but stack parameters were still not included in the evaluation. The new bootstrapping experience relies heavily on parameters to configure important aspects such as policies and trust. However, due to the stack deployment skipping, you would not be able to reconfigure trust or policies after the initial deployment. Now takes parameters into account as well. Relates to #8571, relates to #6582, fixes #6581. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
rix0rrr
added
p1
@aws-cdk/pipelines
rix0rrr
changed the title
rix0rrr
added
effort/medium
rix0rrr
added
effort/small
|
It was supposed to default to "admin" if you didn't establish any |
The current bootstrapping experience has sharp edges. It requires you to pass `--cloudformation-execution-policies`. If you don't pass any, it will successfully deploy a bootstrap stack that doesn't actually work. In effect, you are forced to constantly look up and copy/paste the ARN for `AdministratorAccess` (because that's effectively what people need to use anyway). We don't want to default to this policy for them, because it equates to handing over the keys to your account to another account, and you need to be fully aware that you're doing that. In the case of bootstrapping an account just for use "by itself", however (which is the 90% use case for bootstrapping), the trust boundary is very clear and there's no risk of privilege escalation between accounts (there might still be risk of privilege escalation between different people using different IAM users in the same AWS account, but that is not a recommended setup). Add an optimization where in the case of a "simple", non-cross account bootstrap, we'll default to the AdministratorAccess ARN for you. Once you establish `--trust` with another account, we'll still force you to spell out the execution policy you'll want to use though. Fixes #8571. Also in this PR: - The `blockPublicAccessConfiguration` would be reset on every re-bootstrap, instead of reusing the previous setting. - The `enableTerminationProtection` would be reset on every re-bootstrap, instead of reusing the previous setting.
…cy ARNs (#9867) The current bootstrapping experience has sharp edges. It requires you to pass `--cloudformation-execution-policies` in all cases, even if you just want a "simple", same-account bootstrap stack. If you bootstrap your own accounts, you probably don't have a centralized SecOps team that is limiting you, and you're probably intending to deploy everything using the CDK, which means you're looking for AdministratorAccess. In effect, you are forced to constantly Google and copy/paste the ARN for `AdministratorAccess` (because who can remember that) and it's a bad experience. In the case of bootstrapping an account just for use "by itself", however (which is the 90% use case for bootstrapping), the trust boundary is very clear and there's no risk of privilege escalation between accounts. Add an optimization where in the case of a "simple", non-cross account bootstrap, we'll default to the AdministratorAccess ARN for you. Once you establish `--trust` with another account, we'll still force you to spell out the execution policy you'll want to use though. Fixes #8571. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Deploy an app via new asset system
"@aws-cdk/core:newStyleStackSynthesis": true,, got below errors,Reproduction Steps
cdk.jsonnpx cdk deployError Log
See above
Environment
Other
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: