Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow all sts options for roles assumed by the cli #31089

Merged
merged 94 commits into from
Sep 23, 2024
Merged

feat: allow all sts options for roles assumed by the cli #31089

merged 94 commits into from
Sep 23, 2024

Conversation

sumupitchayan
Copy link
Contributor

@sumupitchayan sumupitchayan commented Aug 12, 2024
edited by iliapolo
Loading

Allow passing all STS options to assume role configuration for various CDK roles.

The following PR description focuses on Session Tags because it was originally the only option we wanted to add support to. After some thought, we decided to allow all available STS options via a transparent pass-through.

Prerequisites

Issue # (if applicable)

Closes #26157
Fixes #22535

Reason for this change

Enabling ABAC via STS session tags. From the AWS docs:

“Session Tags are key-value pair attributes that you pass when you assume an IAM role or federate a user in AWS STS. You do this by making an AWS CLI or AWS API request through AWS STS or through your identity provider (IdP). When you use AWS STS to request temporary security credentials, you generate a session. Sessions expire and have credentials, such as an access key pair and a session token. When you use the session credentials to make a subsequent request, the request context includes the aws:PrincipalTag context key. You can use the aws:PrincipalTag key in the Condition element of your policies to allow or deny access based on those tags”

Description of changes

The CDK creates 4 IAM roles during bootstrap. It then assumes these roles at various phases of the deployment.

  • DeploymentActionRole: Assumed when invoking CloudFormation operations such as Deploy and DescribeStackEvents.
  • FilePublishingRole: Assumed when file assets are uploaded to the bootstrap bucket.
  • ImagePublishingRole: Assumed when docker images are published to the bootstrap ECR registry.
  • LookupRole: Assumed while performing context lookups.

Each of these roles should be assumable with their own specific session tags, as they server different purposes.

Note: The CloudFormationExecutionRole is also created during bootstrap, but the CLI never assumes it, therefore it doesn't need session tags support.

Session tags for each role will be configurable via synthesizer properties (similarly to how externalId is exposed) both for the DefaultStackSynthesizer, and for a custom synthesizer extending the StackSynthesizer class. The new properties will propagate down and will eventually be written to the cloud assembly.

+ manifest.json

{
  "version": "36.0.0",
  "artifacts": {
    "MyStack.assets": {
      "type": "cdk:asset-manifest",
      "properties": {
        "file": "SeshTagsManifestStack.assets.json",
        "requiresBootstrapStackVersion": 6,
        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
      }
    },
    "MyStack": {
      "type": "aws:cloudformation:stack",
      "environment": "aws://unknown-account/unknown-region",
      "properties": {
        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
          "assumeRoleAdditionalOptions": {
            "Tags": < deployRoleSessionTags > 
          }
        "lookupRole": {
          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
          "requiresBootstrapStackVersion": 8,
          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
          "assumeRoleAdditionalOptions": {
            "Tags": < lookupRoleSessionTags > 
          }
        }
      },

+ assets.json

{
  "version": "36.0.0",
  "files": {
    "9ebfd704f02f99b2711998e6435822b0dbed6e80dcac7e75f339fe894861ac20": {
      "source": {
        "path": "mystack.template.json",
        "packaging": "file"
      },
      "destinations": {
        "current_account-current_region": {
          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
          "assumeRoleAdditionalOptions": {
             "Tags": < fileAssetPublishingRoleSessionTags >
           }
        }
      }
    }
  },
  "dockerImages": {
    "dockerHash": {
      "source": {
        "directory": "."
      },
      "destinations": {
        "current_account-current_region": {
          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}"
          "assumeRoleAdditionalOptions": {
            "Tags": < imageAssetPublishingRoleSessionTags >
          }
        }
      }
    }
  }
}

Description of how you validated changes

  • CLI integration tests.
  • CLI and framework unit tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@sumupitchayan
WIP: add placeholder integ test
4f7a820 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
WIP: CLI bootstrap integ test is passing, even though it should be fa…
d02e7d2 
…iling with tags in custom bootstrap

Signed-off-by: Sumu <sumughan@amazon.com>
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 labels Aug 12, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team August 12, 2024 18:49
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 12, 2024
@sumupitchayan
cleanup comments in app.js
e50a57c 
Signed-off-by: Sumu <sumughan@amazon.com>
aws-cdk-automation
aws-cdk-automation previously requested changes Aug 12, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@sumupitchayan
Integ test now 'successfully' fails as intended; switched session tag…
9f2e54b 
…s to cfnexecutionrole instead of deployrole

Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
add principaltag to deployrole policy
da3ee2b 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
WIP: make framework changes
2720e81 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
WIP: CLI changes in sdk-provider
47e947b 
Signed-off-by: Sumu <sumughan@amazon.com>
@aws-cdk-automation aws-cdk-automation added the pr/needs-cli-test-run This PR needs CLI tests run against it. label Aug 13, 2024
@sumupitchayan
Integ test successfully failing
35a2c86 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
add tags to lambda stack
53a70ee 
Signed-off-by: Sumu <sumughan@amazon.com>
@iliapolo iliapolo marked this pull request as ready for review September 23, 2024 07:08
@iliapolo iliapolo self-requested a review September 23, 2024 07:08
iliapolo
iliapolo reviewed Sep 23, 2024
View reviewed changes
packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
* Instantiate an SDK for context providers. This function ensures that all
* lookup assume role options are used when context providers perform lookups.
*/
export async function initContextProviderSdk(aws: SdkProvider, options: cxschema.ContextLookupRoleOptions): Promise<ISDK> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rix0rrr Can you have a look at this (and how its being used)? I added it since your last review to fix the lookup issues.

iliapolo
iliapolo reviewed Sep 23, 2024
View reviewed changes
packages/@aws-cdk/cx-api/FEATURE_FLAGS.md Outdated
Copy link
Contributor

@iliapolo iliapolo Sep 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is a copy of https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md and is actually configured to be ignored:

aws-cdk/packages/@aws-cdk/cx-api/.gitignore

Lines 3 to 9 in 1593500

*
!package.json
!.npmignore
!jest.config.js
!LICENSE
!NOTICE
!CONTRIBUTING.md

But since it was committed before the ignore rules were put in place, it still lingers on.

@aws-cdk-automation
Copy link
Collaborator

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@iliapolo iliapolo added the pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested label Sep 23, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review September 23, 2024 12:50

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-cli-test-run This PR needs CLI tests run against it. labels Sep 23, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Sep 23, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 0c753cf
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 5e95ba2 into main Sep 23, 2024
13 of 17 checks passed
@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 23, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot deleted the sumughan/session-tags branch September 23, 2024 16:07
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@iliapolo iliapolo iliapolo left review comments

@cgarvis cgarvis cgarvis left review comments

@rix0rrr rix0rrr rix0rrr approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Milestone
No milestone
5 participants
@sumupitchayan @rix0rrr @iliapolo @aws-cdk-automation @cgarvis