Open dverdonschot opened 9 months ago
Thanks for reaching out. It looks like this is a duplicate of https://github.com/aws/aws-cdk/issues/12207. Can you confirm or highlight any differences between these issues?
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
Sorry for responding this late, should have opened this issue after the holidays.
In the mentioned issue #12207 it shows that you can set the permissionBoundary with --custom-permissions-boundary only for the execution role. You can also use the cdk.json option to apply the permissionBoundary to all stacks in all resources.
But the problem is that cdk bootstrap is not performed from the stack with cdk.json, but from the cdk bootstrap command. CDK Bootstrap will still create the other roles, like the lookup role, without the permissionBoundary.
In the company that I work there is a PermissionBoundary that has a policy to only allow IAM Role creation if that role also uses the PermissionBoundary.
We can solve it currently by using a custom bootstrap-template.yml with the permissionBoundary added to the other roles.
PermissionsBoundary:
Fn::If:
- PermissionsBoundarySet
- Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
- Ref: AWS::NoValue
But then we always need to use that template to bootstrap CDK.
Sometimes the existing CDK bootstrap get's broken or overwritten by a user, and then the user gets stuck creating a new bootstrap when they don't have the template, because the permissionBoundary is not applied to the other roles.
If we can just get the PermissionsBoundary code snippet applied to all roles by default, then we can bootstrap with 1 command and have the permissionBoundary attached to every role.
@tim-finnigan would it be possible to get this re-opened? I just ran into this exact issue ;)
+1 same issue
Describe the feature
PermissionBoundary is only applied to Cloudformation Execution Role when bootstrapping with option --custom-permission-boundary
The following roles currently do not get the PermissionBoundary when the Bootstrap is done with the command above:
DeploymentActionRole FilePublishingRole ImagePublishingRole LookupRole
Use Case
The organisation I work for has a PermissionBoundary that enforces all roles to also be created with the PermissionBoundary.
Currently we have to bootstrap CDK using a custom bootstrap-template.yaml that applies the PermissionBoundary on all other roles. But sometimes this causes issues if someone later on runs cdk bootstrap without the template, and resources are updated without PermissionBoundary again...
Proposed Solution
Add below code to all roles created by bootstrap-template.yaml
I can make a PR for this if needed.
Other Information
Currently bootstrap-template.yaml only applies the below code for attaching the PermissionBoundary on CloudFormationExecutionRole:
Acknowledgements
CDK version used
v2.114.0
Environment details (OS name and version, etc.)
Ubuntu