search

winglang / wing

A programming language for the cloud ☁️ A unified programming model, combining infrastructure and runtime code into one language ⚡
https://winglang.io
Other
4.77k stars 189 forks source link

Document Permissions Required to Manage SDK Resources #4218

Open skorfmann opened 9 months ago

skorfmann commented 9 months ago

Feature Spec

Wing SDK resources docs include information about the required permissions to manage them, which encourages least privilege permission granting to the deploying roles.

Use Cases

Implementation Notes

AWS

1. Derive them from Wing SDK resources

The SDK resources could know what kind of permissions are required to create them. Seems to be sort of straightforward. For documentation purposes this could be generated then. Could even be printed via the CLI.

2. Analyse the synthesised tf / cloudformation config

Since people might use more resources than just the Wing SDK, would be nice to provide a little guide how to generate policies via 3rd party tooling as well. e.g .there's iamlive which allows generating policies from live terraform applies (or any SDK interaction).

e.g. here's the policy generated for one of the api examples [api-basic-auth](https://github.com/winglang/examples/tree/main/examples/api-basic-auth) ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:CreateDeployment", "apigateway:CreateRestApi", "apigateway:CreateStage", "apigateway:DeleteDeployment", "apigateway:DeleteRestApi", "apigateway:DeleteStage", "apigateway:GetDeployment", "apigateway:GetResources", "apigateway:GetRestApi", "apigateway:GetStage", "apigateway:PutRestApi", "apigateway:UpdateRestApi", "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:GetPolicy", "lambda:RemovePermission", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetAccelerateConfiguration", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersion", "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:PutObject" ], "Resource": "*" } ] } ``` Note: with the proxy mode of iamlive, this would apparently even be possible down to the resource level in terms of granularity.

3. Use static specs

The Cloudformation Resource Schema contains permissions required to manage the resource.

e.g. Cloudfront Distribution ```json ... "handlers" : { "create" : { "permissions" : [ "cloudfront:CreateDistribution*", "cloudfront:TagResource" ] }, "delete" : { "permissions" : [ "cloudfront:DeleteDistribution*" ] }, "list" : { "permissions" : [ "cloudfront:ListDistributions*" ] }, "read" : { "permissions" : [ "cloudfront:GetDistribution*" ] }, "update" : { "permissions" : [ "cloudfront:GetDistribution*", "cloudfront:UpdateDistribution*", "cloudfront:ListTagsForResource*", "cloudfront:TagResource", "cloudfront:UntagResource" ] } }, ... ```

However, I don't think that maps necessarily 1:1 for all resources in Terraform. But could still be useful for the aws-cdk target.

Other targets

While iamlive seems to be working on supporting on GCP / Azure, I'm not familiar how the permission concepts are generally working there.

Component

SDK, Documentation

Community Notes

github-actions[bot] commented 7 months ago

Hi,

This issue hasn't seen activity in 60 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!

github-actions[bot] commented 4 months ago

Hi,

This issue hasn't seen activity in 60 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!

github-actions[bot] commented 1 month ago

Hi,

This issue hasn't seen activity in 90 days. Therefore, we are marking this issue as stale for now. It will be closed after 7 days. Feel free to re-open this issue when there's an update or relevant information to be added. Thanks!