Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK Bootstrap: PermissionBoundary not applied to all roles #28453

Open
1 of 2 tasks
dverdonschot opened this issue Dec 21, 2023 · 7 comments
Open
1 of 2 tasks

CDK Bootstrap: PermissionBoundary not applied to all roles #28453

dverdonschot opened this issue Dec 21, 2023 · 7 comments
Labels
@aws-cdk/core Related to core CDK functionality effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 package/tools Related to AWS CDK Tools or CLI

Comments

@dverdonschot
Copy link

dverdonschot commented Dec 21, 2023
edited
Loading

Describe the feature

PermissionBoundary is only applied to Cloudformation Execution Role when bootstrapping with option --custom-permission-boundary

cdk bootstrap --custom-permissions-boundary PermissionBoundary

The following roles currently do not get the PermissionBoundary when the Bootstrap is done with the command above:

DeploymentActionRole
FilePublishingRole
ImagePublishingRole
LookupRole

Use Case

The organisation I work for has a PermissionBoundary that enforces all roles to also be created with the PermissionBoundary.

        {
            "Sid": "RestrictRoleCreation",
            "Effect": "Deny",
            "Action": [
                "iam:CreateRole",
                "iam:UpdateRole",
                "iam:PutRolePermissionsBoundary"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "iam:PermissionsBoundary": [
                        "arn:aws:iam::*:policy/PermissionBoundary"
                    ]
                }
            }
        },

Currently we have to bootstrap CDK using a custom bootstrap-template.yaml that applies the PermissionBoundary on all other roles.
But sometimes this causes issues if someone later on runs cdk bootstrap without the template, and resources are updated without PermissionBoundary again...

Proposed Solution

Add below code to all roles created by bootstrap-template.yaml

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

I can make a PR for this if needed.

Other Information

Currently bootstrap-template.yaml only applies the below code for attaching the PermissionBoundary on CloudFormationExecutionRole:

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

v2.114.0

Environment details (OS name and version, etc.)

Ubuntu
@dverdonschot dverdonschot added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 21, 2023
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Dec 21, 2023
@tim-finnigan tim-finnigan self-assigned this Dec 22, 2023
@tim-finnigan
Copy link

Thanks for reaching out. It looks like this is a duplicate of #12207. Can you confirm or highlight any differences between these issues?

@tim-finnigan tim-finnigan added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 22, 2023
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Dec 24, 2023
@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
@dverdonschot
Copy link
Author

Sorry for responding this late, should have opened this issue after the holidays.

In the mentioned issue #12207 it shows that you can set the permissionBoundary with --custom-permissions-boundary only for the execution role.
You can also use the cdk.json option to apply the permissionBoundary to all stacks in all resources.

But the problem is that cdk bootstrap is not performed from the stack with cdk.json, but from the cdk bootstrap command.
CDK Bootstrap will still create the other roles, like the lookup role, without the permissionBoundary.

In the company that I work there is a PermissionBoundary that has a policy to only allow IAM Role creation if that role also uses the PermissionBoundary.

We can solve it currently by using a custom bootstrap-template.yml with the permissionBoundary added to the other roles.

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

But then we always need to use that template to bootstrap CDK.

Sometimes the existing CDK bootstrap get's broken or overwritten by a user, and then the user gets stuck creating a new bootstrap when they don't have the template, because the permissionBoundary is not applied to the other roles.

If we can just get the PermissionsBoundary code snippet applied to all roles by default, then we can bootstrap with 1 command and have the permissionBoundary attached to every role.

@mrh-chain
Copy link

@tim-finnigan would it be possible to get this re-opened? I just ran into this exact issue ;)

@tim-finnigan tim-finnigan reopened this Feb 7, 2024
@tim-finnigan tim-finnigan removed their assignment Feb 7, 2024
@tim-finnigan tim-finnigan removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. labels Feb 7, 2024
@kswanny
Copy link

kswanny commented Feb 15, 2024

+1 same issue

@pahud pahud added the @aws-cdk/core Related to core CDK functionality label Jun 3, 2024
@bill-bryan-bp
Copy link

+1 same issue, had to create a custom template to include as mentioned by @dverdonschot. Any chance of this being resolved, I have had to describe this fix to multiple customers at this point and it really should be a simple fix.

@shivkonaje
Copy link

+1 Same issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/core Related to core CDK functionality effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@pahud @shivkonaje @dverdonschot @kswanny @tim-finnigan @mrh-chain @bill-bryan-bp