Open skorfmann opened 9 months ago
Hi,
This issue hasn't seen activity in 60 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!
Hi,
This issue hasn't seen activity in 60 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!
Hi,
This issue hasn't seen activity in 90 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!
Feature Spec
Wing SDK resources docs include information about the required permissions to manage them, which encourages least privilege permission granting to the deploying roles.
Use Cases
Implementation Notes
AWS
1. Derive them from Wing SDK resources
The SDK resources could know what kind of permissions are required to create them. Seems to be sort of straightforward. For documentation purposes this could be generated then. Could even be printed via the CLI.
2. Analyse the synthesised tf / cloudformation config
Since people might use more resources than just the Wing SDK, would be nice to provide a little guide how to generate policies via 3rd party tooling as well. e.g .there's iamlive which allows generating policies from live terraform applies (or any SDK interaction).
e.g. here's the policy generated for one of the api examples
[api-basic-auth](https://github.com/winglang/examples/tree/main/examples/api-basic-auth) ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:CreateDeployment", "apigateway:CreateRestApi", "apigateway:CreateStage", "apigateway:DeleteDeployment", "apigateway:DeleteRestApi", "apigateway:DeleteStage", "apigateway:GetDeployment", "apigateway:GetResources", "apigateway:GetRestApi", "apigateway:GetStage", "apigateway:PutRestApi", "apigateway:UpdateRestApi", "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:GetPolicy", "lambda:RemovePermission", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:PutObject" ], "Resource": "*" } ] } ``` Note: with the proxy mode of iamlive, this would apparently even be possible down to the resource level in terms of granularity.3. Use static specs
The Cloudformation Resource Schema contains permissions required to manage the resource.
e.g. Cloudfront Distribution
```json ... "handlers" : { "create" : { "permissions" : [ "cloudfront:CreateDistribution*", "cloudfront:TagResource" ] }, "delete" : { "permissions" : [ "cloudfront:DeleteDistribution*" ] }, "list" : { "permissions" : [ "cloudfront:ListDistributions*" ] }, "read" : { "permissions" : [ "cloudfront:GetDistribution*" ] }, "update" : { "permissions" : [ "cloudfront:GetDistribution*", "cloudfront:UpdateDistribution*", "cloudfront:ListTagsForResource*", "cloudfront:TagResource", "cloudfront:UntagResource" ] } }, ... ```However, I don't think that maps necessarily 1:1 for all resources in Terraform. But could still be useful for the
aws-cdk
target.Other targets
While iamlive seems to be working on supporting on GCP / Azure, I'm not familiar how the permission concepts are generally working there.
Component
SDK, Documentation
Community Notes