Feature Request: Support IAM Permissions Boundaries #117
Comments
|
Thanks for requesting this, @Clete2! It should be fairly easy, I'd add a new I can't think of a use case where you'd need different boundaries for each function. I'll be working on a PR later today. |
|
Sweet @alexcasalboni; I appreciate it! I agree, no need to have different for each IAM role. |
|
Implemented and merged :) Do you need this on SAR asap? Or you are deploying via SAM CLI? |
|
Awesome! I am using it on SAR but I wouldn’t say it’s needed ASAP. Up to you when you’d like to update it. You also could publish a test version and I’ll try it out if you like. |
|
No worries, I've just published version 3.4.1 on SAR. Let me know if you encounter any issue :) |
|
@alexcasalboni am I looking at the wrong place? Latest I see is |
|
Sorry, somehow I didn't save & commit the most important file ( It should be updated within minutes. |
|
@alexcasalboni I think it's not being applied to the IAM roles properly. I see it is applied to the Lambda functions but not IAM roles. I didn't even know you could add a permissions boundary to the Lambda function. |
|
mmm weird, I've tested it and I did see the permissions boundary applied to the IAM Role. The SAM transformation is supposed to apply the PM to the Lambda role. I think it works only if the role doesn't exist yet, though. I suppose this was a stack update, right? Could you please delete the existing CloudFormation stack and re-deploy the SAR app from scratch? |
|
@alexcasalboni Actually I made a new stack with a new name. I'll take a deeper look into it a bit later today. To be honest I'm not very familiar with SAM or CloudFormation. In fact the error I pasted is from a Terraform deployment (it can deploy SAR apps). It could be that it adds the permissions boundary after creation, which would cause an issue, since our deployer role is only allowed to create roles with the permissions boundary in the first place. Like I said I'll take a peek in a little bit at our cloudtrail and see if I can find any more clues as to what is going on. |
|
Oh, I see. Thanks for sharing! By the way, I'd be interested in learning more about how you're deploying the SAR app with Terraform - and maybe document it in How to deploy the state machine. |
|
Once I get it working I will be happy to help with the docs. I probably won't get back to you today on the troubleshooting tho, maybe tomorrow. Thanks! |
|
@alexcasalboni I think I've figured it out. I think your global default to use the boundary for functions works fine, but that's not applying to the step function policy "statemachineRole". That one I think you'll want to add the permissions boundary to it some other way. |
|
I've merged and published the bugfix on SAR (version |
|
Resolving this for now. Please reopen if you encounter other issues. |
|
Thanks a ton @alexcasalboni ! It deployed successfully. |
Hello! I am the owner of a few AWS accounts. We require all deployments to have a specific permissions boundary attached to all IAM roles created in the account.
Can you add support for me to pass a permissions boundary into the stack?
The text was updated successfully, but these errors were encountered: