packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

AWS Builder Does Not Support IAM Permission Boundaries

Open hc-github-team-packer opened this issue 3 years ago • 1 comments

This issue was originally opened by @dylanmtaylor in https://github.com/hashicorp/packer/issues/11820 and has been migrated to this repository. The original issue description is below.

Description

Packer in its current state does not seem to support IAM permissions boundaries for creating a role while building into an account. This feature is highly desirable to us.

Use Case(s)

This allows controlled builds using packer that can create roles but can't escalate their privileges.

Potential configuration

source "amazon-ebs" "amazon_linux" {

... iam_permissions_boundary = "[some arn]" }

Potential References

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

hc-github-team-packer avatar Jun 06 '22 14:06 hc-github-team-packer

This is necessary in environments where permissions boundaries are being used to prevent privilege escalation. I'm currently using a role in CI which has a permissions boundary attached which requires all roles being created by the CI role to also have the same boundary attached. This is common practice.

caylorme avatar Jun 07 '22 05:06 caylorme