-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update bootstrap template & CLI #22744
Comments
Naumel
added a commit
that referenced
this issue
Nov 4, 2022
4 tasks
mergify bot
pushed a commit
that referenced
this issue
Nov 23, 2022
#22744 Users can now specify in the CDK CLI a [(permissions boundary) policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to be applied on the Execution Role and all subsequent IAM users and roles of their app. If you want to try out the feature, a good starting point is having the`--example-permissions-boundary`(or `--epb`) parameter for the `cdk botstrap`: ``` cdk boostrap --epb ``` This achieves a couple of things: a new policy will be created (if not already present) in the account being bootstrapped (`cdk-${qualifier}-permissions-boundary`) and it will be referenced in the bootstrap template. In order for the bootstrap to be successful, the credentials use must include `iam:getPolicy` and `iam:createPolicy` permissions. This works pairs with #22913, as permissions boundary needs propagation. You can inspect the policy via the console, retrieve it via aws cli or sdk and you can copy the structure to use on your own from `packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml`: Resources.CdkBoostrapPermissionsBoundaryPolicy At this point you can edit the policy, add restrictions and see what scope would match your requirements. For non-dev work, the suggestion is to use `--custom-permissions-boundary` (or `--cpb`): ``` cdk bootstrap --cpb "custom-policy-name" ``` The policy must be created and accessible for the credentials used to perform the bootstrap. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add two new flags to the
bootstrap
command.CLI Flags
--example-permissions-boundary
If the user sets this to true then the bootstrap template will create a permission boundary policy with the base policy. It will also apply the permission boundary to the bootstrap cfn-exec IAM role. We will provide instructions on how to add additional policy statements to this managed policy. At a high level this can either be done by, 1. editing the template prior to bootstrapping, or 2. we can provide a link to the console where the user can edit the policy.
--custom-permissions-boundary <NAME>
If the user already has a permission boundary policy and they do not want the bootstrap template to create one, they can provide the name of the policy and the permission boundary will be applied to the bootstrap cfn-exec IAM role.
Bootstrap Template
The text was updated successfully, but these errors were encountered: