Closed bestickley closed 1 week ago
Would AWS Organisation and SSO not work here? What we do is have --profile xx
behind all sst commands (and AWS cli commands) and each profile is given a role controlled from our AWS Organisation
@nnyegaard, thanks for your idea! The role controlled by your AWS Organization, did you have to manually create it? This issue is to make creating that role easier. Also, are you doing that in CI? Do you have long-term credentials within your CI pipeline? I think security best practice is to assume roles and get short term credentials via STS which makes it a little more difficult to use the --profile
strategy.
No i setup the Organisation and roles with a normal CDK project, but you could do that in SST. I used this project, https://github.com/pepperize/cdk-organizations-example. You can control how long token lives for a given role on an account etc. So you should be able to implement anything you want
@nnyegaard, is SST correctly assuming normal CDK roles created during cdk bootstrap
? If so, it should fail because it won't have permissions to access SST specific resources, right? I think this issue isn't experience by most because the profile they give to SST has AdministratorAccess.
We are transition this repo to https://github.com/sst/v2 and are closing this issue for now. If it is still relevant please reopen it there - sorry for the trouble
I'm building an SST app where we're using GitHub Actions for our pipeline. We have a devtools account and a target account. We want all deployments to go through (via assume-role) devtools account for security reasons. There will be multiple future target accounts. In order to get this working with SST I had to use some work arounds as documented below. The goal of this feature request is to make this easier on SST. What I think should change:
sst bootstrap
should assume the cdk's lookup role by defaultsst bootstrap
should support all CLI arguments ofcdk bootstrap
such as qualifier (already tracked here)sst bootstrap
should automatically create a role thatsst deploy
assumes so that it can read required parameters so that I don't have to modify the cdk's deploy-role as shown belowsst bootstrap
could create all roles required forsst deploy
and not depend on cdk? Not sure if that would be worth it.sst deploy
should accept use custom attributes fromsst bootstrap
like qualifier so that deployment doesn't fail if default identifier of (hnb659fds) isn't used for bootstrapping.Current work around:
sst cdk --app=.build/run.mjs bootstrap aws://<target-account-id>/us-east-1 --trust <assume-role-from-id> --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
sst bootstrap
sst build
sst deploy