Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What IAM permissions are needed to use CDK Deploy?

Tags:

My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.

In the past, we would upload some artifacts to S3 buckets before creating/updating our CloudFormation stack, using the execution IAM role.

We recently switched to the CDK, and are trying to get as much automated with using CDK Deploy as possible, but are running into a lot of permission items we need to add which we didn't have prior (for instance, cloudformation:GetTemplate).

We don't want to just grant * (we want to follow least privilege) but I can't find any clear documented list.

Is there a standard list of permissions that CDK Deploy relies on? Are there any "nice to have's" beyond a standard list?

like image 872
Alan Kay Avatar asked Jul 19 '19 18:07

Alan Kay


People also ask

How do I use existing IAM role in CDK?

In order to import an existing IAM Role in CDK, we have to use the fromRoleArn static method on the Role construct. Copied! We used the fromRoleArn method to import an external IAM Role in our CDK stack. The third parameter we passed to the method is the ARN of the IAM role we want to import.

What are permissions in IAM?

Permissions let you specify access to AWS resources. Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions.

How do I give IAM permissions?

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . Choose Users in the navigation pane, choose the name of the user whose permissions you want to modify, and then choose the Permissions tab. Choose Add permissions, and then choose Copy permissions from existing user.


1 Answers

The CDK v2 now brings and assumes its own roles. No more manual permission management required. You only need to grant permission to assume the cdk roles:

{     "Version": "2012-10-17",     "Statement": [         {             "Effect": "Allow",             "Action": [                 "sts:AssumeRole"             ],             "Resource": [                 "arn:aws:iam::*:role/cdk-*"             ]         }     ] } 

These roles are created via cdk bootstrap, which then of course requires the permission to create the roles and policies. After the bootstrapping though, this no longer is required. So you could run this manually with a privileged role.

Apparently CDK proceeds if any of the cdk roles cannot be assumed. So it's still possible to manually manage a CDK policy as below, but it might now requires additional permissions.

Be aware, the CFN role has the Administrator policy attached.


Previous answer for CDK v1:

I'm using below policy to deploy CDK apps. Besides CFN full access and S3 full access to the CDK staging bucket, it grants permission to do everything through CloudFormation.

{     "Version": "2012-10-17",     "Statement": [         {             "Action": [                 "cloudformation:*"             ],             "Resource": "*",             "Effect": "Allow"         },         {             "Condition": {                 "ForAnyValue:StringEquals": {                     "aws:CalledVia": [                         "cloudformation.amazonaws.com"                     ]                 }             },             "Action": "*",             "Resource": "*",             "Effect": "Allow"         },         {             "Action": "s3:*",             "Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",             "Effect": "Allow"         },         {             "Effect": "Allow",             "Action": [                 "ssm:GetParameter"             ],             "Resource": "arn:aws:ssm::*:parameter/cdk-bootstrap/*"         }     ] } 

You might want to add some explicit denies for things you don't want to allow.

Also, be aware that above condition does not mean the principal is limited to things possible with CloudFormation. A potential attack vector would be to create a custom CFN resource, backed by a Lambda function. When creating resources through that custom resource you then could do anything in the Lambda, because it is triggered via CloudFormation.

When you use lookups (those are the .fromXxx(...) methods), the CDK will make read/list requests to the related service at runtime - while the CDK synth is running, not the CloudFormation deploy. Which permissions you need, of course, depends on the lookups you have in your code. For example, if you would have a Vpc.fromLookup() you should allow the action ec2:DescribeVpcs. Of course you could attach the ReadOnlyAccess policy, if you have no concerns about accessing sensitive content.

like image 58
udondan Avatar answered Oct 02 '22 20:10

udondan