Open sriharshakns opened 2 years ago
peterwoodworth
commented
2 years ago This would be great for the getting started page and/or the bootstrapping page in our devguide @Jerry-AWS
I'm not sure how necessary all the permissions you've listed here are @sriharshakns, but thanks for the work you've put in for this so far! I don't think you'll need DeleteStack to bootstrap for instance
ghost
commented
2 years ago I'd like to add this information to the Developer Guide but I'll seek a more canonical answer from our core developers. I also need to make sure there's a process to ensure it doesn't go stale.
mrgum
commented
2 years ago Could we have a Aws managed Cdk bootstrap Core policy and maybe a Trusted and TrustedForLookups role too? This would stop the common bad practice of using administrator
adriantomas
commented
1 year ago Recent versions of CDK now need cloudformation:DeleteChangeSet to bootstrap. Please can we prioritise this topic?
rix0rrr
commented
1 year ago Is everybody aware that this block:
{
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/cdk-*"
]
},Effectively is a privilege escalation vector?
angelospanag
commented
1 year ago At the time of writing this comment and with the most recent version of aws-cdk (2.85), I had to also add ecr:PutLifecyclePolicy and s3:PutLifecycleConfiguration to the policy described above from @sriharshakns.
So now the full policy becomes:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/cdk-*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::cdk-*"
]
},
{
"Action": [
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:*:parameter/cdk-bootstrap/*"
]
},
{
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:SetRepositoryPolicy",
"ecr:PutLifecyclePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ecr:*:*:repository/cdk-*"
]
}
]
}
speedholicktp
commented
6 months ago I got stuck this issue today. This topic is life saver for me :-) I don't know since when, but I had to add ""iam:TagRole" too.
Update. After playing more with aws-cdk, I realized to need to add more:
arn:aws:iam::*:role/cdk-*
github-actions[bot]
commented
1 month ago This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.
Describe the feature
Provide either a List of necessary permissions in the docs or an AWS Managed Role to perform cdk bootstrap using the command "cdk bootstrap".
It is very difficult to comply with the principle of minimum least privilege when bootstrapping with CDK as all the operations and permissions needed are not clearly listed. The --show-template flag only shows the changes that are going to happen, but not the list of actions needed to produce those changes.
Use Case
To provide the User with the minimum required permissions to only run the "cdk bootstrap" command successfully.
Proposed Solution
I think it would be useful to have a clear list of minimum permissions needed to run the bootstrap or to have an AWS managed role with these permissions.
Other Information
I found that the User with the following policy attached is able to bootstrap the environment successfully. User credentials were given using "aws configure".
Acknowledgements
CDK version used
2.39.1
Environment details (OS name and version, etc.)
Amazon Linux 2 (Cloud9 Environment)