Fix deployment bootstrap IAM PassRole permissions #776
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Issue: awslabs#755 ## Why? When an update is performed in the bootstrap repository, it will run `sam build` to generate the bootstrap stack for the deployment account. This, however, includes new versions of some of its dependencies and therefore requires the Lambda Functions to update. While updating, it requires the `iam:PassRole` permission to pass the role to the new Lambda Function version. This was not permitted, as reported in the above issue. ## What? Updated the update deployment bootstrap role to include the required permissions to pass those roles as required. Unfortunately, some of the Lambda functions relied on the `Policies` feature of SAM. This would auto generate a name for the role, thereby making it impossible to lock down permissions to the bare minimum. Hence, those functions now rely on dedicated Roles such that we can list the ARNs properly. Half of the policies for the updated bootstrap deployment role have been relocated to an IAM Managed Policy to work around the 10k inline-policy limit. Additionally, the permission to perform the `codebuild:BatchGetProjects` on the pipeline management CodeBuild project was missing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue: #755
Why?
When an update is performed in the bootstrap repository, it will run
sam buildto generate the bootstrap stack for the deployment account.This, however, includes new versions of some of its dependencies and therefore requires the Lambda Functions to update. While updating, it requires the
iam:PassRolepermission to pass the role to the new Lambda Function version.This was not permitted by the update deployment role as used for minor updates. As reported in the issue linked above.
What?
Updated the update deployment bootstrap role to include the required permissions to pass those roles as required.
Unfortunately, some of the Lambda functions relied on the
Policiesfeature of SAM. This would auto generate a name for the role, thereby making it impossible to lock down permissions to the bare minimum. Hence, those functions now rely on dedicated Roles such that we can list the ARNs properly.Half of the policies for the updated bootstrap deployment role have been relocated to an IAM Managed Policy to work around the 10k inline-policy limit.
Additionally, the permission to perform the
codebuild:BatchGetProjectson the pipeline management CodeBuild project was missing.By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.