https://serverless-stack.com/ logo
Join Slack
Powered by
In short, we want to isolate deployments in a CI u...
# sst
j
In short, we want to isolate deployments in a CI user. But for security, we’d prefer not to have this user be bale to assign higher privilege to itself (which would happen if it had full IAM createRole access). One solution is to add a permissions boundary to policy to this CI user, so that it wouldn’t be able to create users without a permission boundary as well. In the documentation above, the default 
Allow
is to all actions on all resource, but it could as well be restricted to whatever CI needs to do in this case
f
Take a look at CDK Aspects. You can try iterating thru all resources, and attach the ScopePermissions to each IAM role?
Maybe also ask in the CDK community and see if there’s a better way. Here’s an invite link to the CDK’s slack - https://join.slack.com/t/cdk-dev/shared_invite/zt-mso6p56d-qJp7SOTBvMaQuDrx7R2wHg
I’d love to know what you settle on!
j
hmmm I think the issue with that is that our CI user wouldn’t even be able to create iam roles without the scoping policy attached to them.
I’ll ask the same on the CDK community slack — let’s see where that lands!
f
Oh you meant the IAM roles created inside the 
CDKToolkit
stack?
it seems we’re creating IAM Roles when our stack is being deployed.
j
yes! @Frank
f
Hey @José Ribeiro, if you take a look at the bootstrapping doc here - https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html
And search for 
--cloudformation-execution-policies
I haven’t played around with that flag. But it might be able to achieve what you have in mind?
An AWS account/region only needs to be bootstrapped once. So you can bootstrap it manually by running 
sst cdk bootstrap
or 
cdk bootstrap
if you have CDK installed.
If the account has been bootstrapped, SST won’t try to bootstrap it again.
If this does what you are looking for, we can have SST support this flag.
j
So what I will probably do right now is adding a policy for permission boundaries manually. Then using the 
--cloudformation-execution-policies
flag and also define a permission boundaries using the same policy using this: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-iam-readme.html#permissions-boundaries, which seems to be a bit more straightforward than aspects. Let’s see how that goes.
2 Views
Open in Slack
PreviousNext
Powered by