aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

(core): enable adding `sts:SetSourceIdentity` to bootstrap stack trust policy for monitored environments

Open jaecktec opened this issue 2 years ago • 5 comments

Description

In monitored AWS accounts it's required for the user to add sts:SetSourceIdentity to the trust policy of the cdk-toolkit iam roles.

If not done the deployment does not fail, however the log is spammed with:

current credentials could not be used to assume 'arn:aws:iam::************:role/cdk-hnb659fds-lookup-role-************-region', but are for the right account. Proceeding anyway.

Use Case

Using CDK in monitored environments

Proposed Solution

provide a flag or another way how to modify the trust policy

Other information

I'd be willing to implement this, however I'd need some guidance where to start, since I couldn't find the place where the trust policy is built

Acknowledge

  • [X] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

jaecktec avatar Feb 24 '22 07:02 jaecktec

I assume it would have to go into all AssumeRolePolicyDocuments in this file: https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L215

rix0rrr avatar Feb 24 '22 13:02 rix0rrr

is there any downside of always adding this permission?

jaecktec avatar Feb 24 '22 13:02 jaecktec

Cross posting from the PR (Highlight is mine):

AWS doesn’t control the value of the source identity in either the sts:SourceIdentity or aws:SourceIdentity keys. If you choose to require a source identity, you must choose an attribute that you want your users or IdP to provide. For security purposes, you must ensure that you can control how those values are provided.

Based on the above quote, my understanding is that adding the permissions without controlling the values creates a security risk. It could cause Administrators & users to wrongly ascertain the source identity of the user.

We have a supported way to customize the bootstrapping template. We are also aware of many requests in that area and are tentatively collecting them into to a bigger project. Although it looks unlikely that we will be able to support every bootstrapping as a cli flag.

mrgrain avatar Aug 04 '22 13:08 mrgrain

Meaning this issue will not be addressed. Fix is supposed to be to create my own bootstrap template?

jaecktec avatar Aug 08 '22 12:08 jaecktec

The current support way doing this, is to customize the bootstrap template. Please let me know if that doesn't work as a workaround for you.

We'll keep the feature request open and consider it in the wider context of bootstrapping. I'll also take this issue to the team to re-assess the assigned priority.

mrgrain avatar Aug 08 '22 13:08 mrgrain