aws-cdk
aws-cdk copied to clipboard
aws
Least Privilege Permissions to run cdk bootstrap
Describe the feature
Provide either a List of necessary permissions in the docs or an AWS Managed Role to perform cdk bootstrap using the command "cdk bootstrap".
It is very difficult to comply with the principle of minimum least privilege when bootstrapping with CDK as all the operations and permissions needed are not clearly listed. The --show-template flag only shows the changes that are going to happen, but not the list of actions needed to produce those changes.
Use Case
To provide the User with the minimum required permissions to only run the "cdk bootstrap" command successfully.
Proposed Solution
I think it would be useful to have a clear list of minimum permissions needed to run the bootstrap or to have an AWS managed role with these permissions.
Other Information
I found that the User with the following policy attached is able to bootstrap the environment successfully. User credentials were given using "aws configure".
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/cdk-*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::cdk-*"
]
},
{
"Action": [
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:*:parameter/cdk-bootstrap/*"
]
},
{
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:SetRepositoryPolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ecr:*:*:repository/cdk-*"
]
}
]
}
Acknowledgements
- [ ] I may be able to implement this feature request
- [ ] This feature might incur a breaking change
CDK version used
2.39.1
Environment details (OS name and version, etc.)
Amazon Linux 2 (Cloud9 Environment)
This would be great for the getting started page and/or the bootstrapping page in our devguide @Jerry-AWS
I'm not sure how necessary all the permissions you've listed here are @sriharshakns, but thanks for the work you've put in for this so far! I don't think you'll need DeleteStack to bootstrap for instance
I'd like to add this information to the Developer Guide but I'll seek a more canonical answer from our core developers. I also need to make sure there's a process to ensure it doesn't go stale.
Could we have a Aws managed Cdk bootstrap Core policy and maybe a Trusted and TrustedForLookups role too? This would stop the common bad practice of using administrator
Recent versions of CDK now need cloudformation:DeleteChangeSet to bootstrap. Please can we prioritise this topic?
Is everybody aware that this block:
{
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/cdk-*"
]
},
Effectively is a privilege escalation vector?
- It is not safe to give bootstrapping permissions to anyone other than an account administrator.
- Since it is only safe to give bootstrapping permissions to an account administrator, what is the value of locking it down?
At the time of writing this comment and with the most recent version of aws-cdk (2.85), I had to also add ecr:PutLifecyclePolicy and s3:PutLifecycleConfiguration to the policy described above from @sriharshakns.
So now the full policy becomes:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/cdk-*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::cdk-*"
]
},
{
"Action": [
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:*:parameter/cdk-bootstrap/*"
]
},
{
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:SetRepositoryPolicy",
"ecr:PutLifecyclePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ecr:*:*:repository/cdk-*"
]
}
]
}
I got stuck this issue today. This topic is life saver for me :-) I don't know since when, but I had to add ""iam:TagRole" too.
Update. After playing more with aws-cdk, I realized to need to add more:
- iam:GetRolePolicy
- sts:AssumeRole for
arn:aws:iam::*:role/cdk-*
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}