dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Add Permissions boundary to the Roles

Open sandeephs1 opened this issue 9 months ago • 1 comments

When creating environment the stack fails with below error:

 ❌ Deployment failed: Error: 
 The stack named dcx-environment-fw7u9n8k failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve.
 Resource handler returned message: "User: arn:aws:sts::123456789:assumed-role/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789:role/dcx-environment-fw7u9n8k-CustomCDKBucketDeployment8-vSxeN4TiSEFk because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: 777a2667-9afc-4343-88a8-d704fbda2851)"" (RequestToken: 78573905-88eb-a02a-93ec-9efb80fb03e0, HandlerErrorCode: UnauthorizedTaggingOperation), 
 Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::123456789:assumed-role/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789:role/dcx-environment-fw7u9n8k-dcxLakeformationDefaultSet-rGXTGxO5E8Kg because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: 4b0ee857-0ae5-452e-a9a3-0e5ace86554c)"" (RequestToken: 05118eea-511b-7f8f-c02e-71176926b357, HandlerErrorCode: UnauthorizedTaggingOperation), 
 Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::123456789:assumed-role/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789:role/dcx-environment-fw7u9n8k-dcxGlueDbCustomResourcePro-LS3rSytMadV4 because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: b03f8634-0679-471d-b43c-56d37e21fe0e)

After analysis it was found that: Below command was used to bootstrap account:

aws cloudformation deploy \
  --profile "destination-account" \
  --region "${REGION}"\
  --stack-name "${STACK_NAME}" \
  --template-file ./bootstrap-template.yaml \
  --parameter-overrides InputPermissionsBoundary=<assume.boundary.policy> \
                        TrustedAccounts="${ACCOUNT_ID}" \
                        TrustedAccountsForLookup="${ACCOUNT_ID}" \
                        CloudFormationExecutionPolicies="arn:aws:iam::aws:policy/AdministratorAccess" \
  --capabilities CAPABILITY_NAMED_IAM

Due to company security policy the <assume.boundary.policy> boundary must be applied to any IAM role created. And since we not applying the mentioned boundary to the role above 3 role the "no permissions boundary allows the iam:CreateRole action" error message will show up if the action is blocked by a policy (and creating a boundary-less IAM role is).

So now the fix was to add the permission boundary to the 3 role created when creating environment but we did not find any create reference of the roles:

dcx-environment-<environmentUri>-CustomCDKBucketDeployment8-<Uri>
dcx-environment-<environmentUri>-dcxGlueDbCustomResourcePro-<Uri>
dcx-environment-<environmentUri>-dcxLakeformationDefaultSet-<Uri>

How can we add permission boundary to the above 3 roles and generically to any IAM role created in data.all?

sandeephs1 avatar Apr 30 '24 11:04 sandeephs1

Hi @sandeephs1 thanks for the issue. This is a good feature that would harden security. The roles you were not able to find in the stack are CDK-auto created roles that are not explicitly declared in the stack. We could go to each of the CDK constructs to check the parameters, but I think an easier way of implementing permission boundaries is to apply them to all roles (including the weird-CDK created ones). We could use something like what is explained in the CDK docs.

Let us know if that helps out, we can always look at other alternatives. @SofiaSazonova

dlpzx avatar Apr 30 '24 16:04 dlpzx