Security ignored when using Service Connection for Classic Release AWS tasks

[jrykowski-huron]

Describe the bug

We’ve set security for Azure DevOps organization AWS Service Connection to our production account so only a project Release Administrators group has ability to make use of it. Set for both Project and Organization security of the Service Connection.

However, our engineers do have rights create and edit Classic Release pipeline definitions, including adding stages for our production stacks (which make use of Variable Group variable to set which AWS Service Connection to use).

When an engineer creates Release pipeline from definition, they are still able to deploy to AWS production even though lack rights to be using the Service Connection. Realize that we could be making use of a pre-deployment approver gate, however because the engineers are able to create/edit release pipelines that doesn’t really provide security (i.e. they would be able to edit who the approvers are of the production stages).

REQUIREMENT: We require separation of duties as part of deployments into production.

QUESTION: How can we have an end-to-end (dev to qa to preview to production) release pipeline which can be edited by development team but which has security in place to only allow project Release Administrators group rights to complete production deployments which use the AWS Service Connection?

Expected behavior

Expectation would be that if person who created the Release pipeline or clicked the Deploy button for production stage does not have rights to use Service Connection, then an “access denied” would occur when attempt is made to use the service connection.

Instead, they are able to complete the deployment (even though do not have rights to use the production AWS Service Connection). WORK AROUND Our work around is to disable the access key within AWS production account until needed for deployment, but that introduces toil into the CI/CD workflow (and potential security risk if failing to inactivate the access key again afterwards).

Your Environment

• On-prem or cloud based?: Cloud
• Azure DevOps version: latest
• AWS Toolkit for Azure DevOps version: 1.12.0

[JadenSimon]

Is something like this applicable? https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#user-permissions

It seems like it's already possible to configure permissions per-connection, though maybe the Toolkit needs to do something for it to work correctly.

[jrykowski-huron]

... though maybe the Toolkit needs to do something for it to work correctly.

When testing, I'd configured permissions for both User Project and Organization permissions to only allow read for myself, yet others were able to deploy the Release Stage that used that particular service connection.

I think there's a bug with the Toolkit with use of security of AWS Service Connection type... I'd expect an access denied or similar message when task attempts to use service connection when permissions not set for person running the deploy.