docs(pipelines): add CI/CD account bootstrap template example #12352
Conversation
|
|
|
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
flochaz
changed the title
| > On this note, if you have an account dedicated to CI/CD pipelines you can tailored | ||
| > the permission granted to only allow pipelines' resources to be deployed by bootstraping | ||
| > it with the `--template` option with a template such as [this one](https://raw.githubusercontent.com/aws-samples/aws-bootstrap-kit-examples/main/source/1-SDLC-organization/lib/cdk-bootstrap-template.yml). |
There was a problem hiding this comment.
The challenge we have is that CI/CD pipelines typically can create a role (for CodeBuild for example) . The role could have very permissive permission and developers can do anything in CodeBuild's ShellScriptAction.
I'll go with making readers aware of the risk, and introduce the solution:
"If your policy includes permissions to create on attach permission to a role, developers can escalate their privilege by creating a new role with more permissive permission. Thus, we recommend to implement permissions boundary in the CDK Execution role. To do this, you can bootstrap with the --template option with a customized template that contains a permission boundary."
NGL321
changed the title
NGL321
changed the title
There was a problem hiding this comment.
I had to re-read this a couple of times and I still don't quite get what it's trying to say.
I like @ijemmy's phrasing better, at least it's clear in what it's trying to get you to do.
On that note: how would you feel about migrating your template changes into the CDK bootstrap template proper (using a parameter) and turning this into a how-to-use section?
See here: #12207
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
mergify
bot
dismissed
rix0rrr’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This PR add details about how you can restrict the bootstrapping role permissions and especially if you have a multi-accounts structure with a de dedicated account for CI/CD pipelines.
It makes reference to a template used in an other project leveraging the CDK pipelines construct in a multi-accounts organization.
This template follow the least privileges principle and restrict as much as possible permissions to enable user to only create resources needed by the cdk pipelines construct (specific roles, kms keys, buckets, codepipelines etc.).
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license