serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard

Published 20 hours ago verified publisher icon aws

Proposal: IAM role path's

Open jplock opened this issue 5 years ago • 8 comments

Description:

I'd like to be able to specify the IAM role Path on either a function or globals.

Observed result:

Able to specify Path on a Function or Globals

Expected result:

Path is set on the implicitly created IAM roles

jplock avatar Apr 16 '20 18:04 jplock

Would you accept a PR for this?

jplock avatar Apr 16 '20 23:04 jplock

@jplock just to confirm: you'd like to expose this path property from the implicit AWS::IAM::Role resource?

And for our curiosity- what is your use case for wanting this property exposed?

keetonian avatar Apr 17 '20 22:04 keetonian

@keetonian yes, correct. We have policies in place to allow teams to only create IAM roles via CloudFormation templates if they provide a specific CF service role. The service role only allows managing IAM policies with a specific Path and a PermissionBoundary must also be applied. The Path allows us to restrict the IAM roles developers can manage to only the ones they’ve created themselves within the Path.

Hopefully that makes sense.

With out this change, we have to define explicit roles in SAM to set both the Path and PermissionBoundary (although PermissionsBoundary is already supported).

jplock avatar Apr 18 '20 03:04 jplock

Ok, this could be a good addition then. I think we should add this property to the AWS::Serverless::Function spec like we have for PermissionsBoundary, and what do you think about calling it RolePath?

To add this property:

Add RolePath as a new property here: https://github.com/awslabs/serverless-application-model/blob/develop/samtranslator/model/sam_resources.py#L68

Do the translation to an AWS::IAM::Role here: https://github.com/awslabs/serverless-application-model/blob/develop/samtranslator/model/sam_resources.py#L528

Update tests as appropriate

keetonian avatar Apr 21 '20 21:04 keetonian

Great, happy to work on that.

jplock avatar Apr 21 '20 21:04 jplock

Created https://github.com/awslabs/serverless-application-model/pull/1567 for this change.

jplock avatar Apr 22 '20 01:04 jplock

Is there any plan to implement this? I have a similar use case as described above and need to be able to specify a RolePath to continue using my current SAM templates.

mattjhill avatar Jan 22 '21 17:01 mattjhill

Agreed on this. I really would like to see this. I also have a case where a permissions boundary only permits creating roles on a certain path.

jfalkenstein avatar Sep 30 '21 21:09 jfalkenstein

RolePath implementation for SAM Function is merged. (Pending release). RolePath for SAM StateMachine is under implementation.

GavinZZ avatar Nov 29 '22 21:11 GavinZZ

Both SAM Function and StateMachine support are completed last week. Waiting for release. SAM Function RolePath PR: https://github.com/aws/serverless-application-model/pull/2659 SAM StateMachine RolePath PR: https://github.com/aws/serverless-application-model/pull/2684

GavinZZ avatar Dec 13 '22 19:12 GavinZZ

Released in v1.56.0

aahung avatar Jan 05 '23 22:01 aahung

Yay! Thank you!

jplock avatar Jan 05 '23 23:01 jplock

@aahung Thank you! trying to use the new RolePath property as well.

However, using the latest sam cli release v1.68.0 I am getting InvalidResourceException property RolePath not defined for resource of type AWS::Serverless::Function

Sorry for my ignorance, have not dug into this code enough but how does the CLI pick up this change?

EDIT: see this PR. guessing need to cut new release

bakosa avatar Jan 06 '23 13:01 bakosa

@bakosa yes it will be available in next release of SAM CLI

aahung avatar Jan 06 '23 18:01 aahung