aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Feature Request: Add PermissionsBoundary as option for role that gets created

Open cervantek opened this issue 5 years ago • 6 comments

For SAM functions, you are able to specify a Permissions Boundary to use for the role that gets created automatically by Serverless::Function resources. However, there is no way for us as a consumer of these Serverless Applications to specify that to you.

Could you please add an optional parameter to the Serverless Application that allows us to specify a PermissionsBoundary?

If your App is passed PermissionsBoundary as a parameter by a user, simply pass it down to the Serverless::Function it creates. This should only be a few line change to your template.

We (and others likely) cannot take advantage of your Serverless Apps due being required (by a standard/policy within our organizations) to always specify a PermissionsBoundary on any role we create (or is created for us by things like SAM).

cervantek avatar Dec 06 '19 00:12 cervantek

Thank you for your feedback. We have noted this as a feature request.

joebaro avatar May 05 '21 23:05 joebaro

Any plans on making this happen? Currently, the rotation applications are only useful if you want to give developers all access to the AWS account, which is often not possible.

ArielPrevu3D avatar Sep 22 '21 18:09 ArielPrevu3D

Need this to! Would implement this, but need to know where the template resides

markussiebert avatar May 06 '22 11:05 markussiebert

Are the SAM templates available anywhere to provide PRs on?

Saberos avatar Jan 19 '23 13:01 Saberos

Can you please apply Globals.Function.PermissionsBoundary to the SAM Template that gets created. This is supported by SAM. You can use this template as reference: https://github.com/aws-samples/cloudfront-authorization-at-edge/blob/master/template.yaml

I would have create a PR, but cant find the yaml template available anywhere in this repo

Screenshot 2023-10-24 at 11 10 51 AM

Screenshot 2023-10-24 at 11 11 06 AM

asifma avatar Oct 24 '23 09:10 asifma

Below is a proposed template for: SecretsManagerRDSPostgreSQLRotationSingleUser — version 1.1.384

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
  endpoint:
    Type: String
    Description: The Secrets Manager endpoint to use.
  functionName:
    Type: String
    Description: The name of the Lambda function.
  invokingServicePrincipal:
    Type: String
    Description: The service principal for the invoking service.
    Default: secretsmanager.amazonaws.com
  vpcSubnetIds:
    Type: CommaDelimitedList
    Description: A comma-separated list of VPC subnet IDs applied to the database
      network.
    Default: ''
  vpcSecurityGroupIds:
    Type: CommaDelimitedList
    Description: A comma-separated list of security group IDs applied to the database.
    Default: ''
  kmsKeyArn:
    Type: String
    Description: The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
    Default: ''
  excludeCharacters:
    Type: String
    Description: A string of the characters that you don't want in the password.
    Default: :/@"'\
  runtime:
    Type: String
    Description: The python runtime associated with the Lambda function
    Default: python3.9
  PermissionsBoundaryPolicyArn:
    Description: ARN of a boundary policy if your organisation uses some for roles, optional.
    Type: String
    Default: ""
Conditions:
  AddVpcConfig:
    Fn::And:
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSubnetIds
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSecurityGroupIds
  KmsKeyArnExists:
    Fn::Not:
    - Fn::Equals:
      - ''
      - Ref: kmsKeyArn
  ApplyPermissionsBoundary:
    !Not [!Equals [!Ref PermissionsBoundaryPolicyArn, ""]]

Resources:
  SecretsManagerRDSPostgreSQLRotationSingleUser:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName:
        Ref: functionName
      Description: Rotates a Secrets Manager secret for Amazon RDS PostgreSQL credentials
        using the single user rotation strategy.
      Handler: lambda_function.lambda_handler
      Runtime:
        Ref: runtime
      CodeUri:
        Bucket: <%REPO_BUCKET%>
        Key: 8494558e-a7c7-479b-b855-6a42fa99ba3f
      AutoPublishCodeSha256: b6db215a045dfe41d9838f1236af55b0de0d491d7d03b67d78ebde754eeadaae
      Timeout: 30
      PermissionsBoundary: !If
        - ApplyPermissionsBoundary
        - !Ref PermissionsBoundaryPolicyArn
        - !Ref AWS::NoValue
      Policies:
      - VPCAccessPolicy: {}
      - AWSSecretsManagerRotationPolicy:
          FunctionName:
            Ref: functionName
      - Fn::If:
        - KmsKeyArnExists
        - Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - kms:Decrypt
            - kms:DescribeKey
            - kms:GenerateDataKey
            Resource:
              Ref: kmsKeyArn
        - Ref: AWS::NoValue
      Environment:
        Variables:
          SECRETS_MANAGER_ENDPOINT:
            Ref: endpoint
          EXCLUDE_CHARACTERS:
            Ref: excludeCharacters
      VpcConfig:
        Fn::If:
        - AddVpcConfig
        - SubnetIds:
            Ref: vpcSubnetIds
          SecurityGroupIds:
            Ref: vpcSecurityGroupIds
        - Ref: AWS::NoValue
      Tags:
        SecretsManagerLambda: Rotation
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
        - SecretsManagerRDSPostgreSQLRotationSingleUser
        - Arn
      Principal:
        Ref: invokingServicePrincipal
      SourceAccount:
        Ref: AWS::AccountId
Outputs:
  RotationLambdaARN:
    Description: The ARN of the rotation lambda
    Value:
      Fn::GetAtt:
      - SecretsManagerRDSPostgreSQLRotationSingleUser
      - Arn

asifma avatar Oct 27 '23 11:10 asifma