发表新帖
发表新帖

What IAM permissions are needed to use CDK Deploy?

前端 未结
关注
3 1130
余生分开走
余生分开走 2020-12-28 18:56

My team has a pipeline which runs under an execution IAM role. We want to deploy code to AWS through CloudFormation or the CDK.

In the past, we would upload some art

相关标签:
3条回答
  • 遇见更好的自我
    2020-12-28 19:03

    I tried giving full cloudformation permissions 

    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": "cloudformation:*",
    "Resource": "*"
}

    but that's still not enough, this is the output of cdk deploy command using codebuild.

    dev-MyStack 
dev-MyStack: deploying... 

 ❌  dev-MyStack failed: Forbidden: null 
null

    The only workaround i have atm is to give Administrator permission which is ofc not ideal

    0 讨论(0)
  • 星月不相逢
    2020-12-28 19:15

    I'm using below policy to deploy CDK apps. Besides CFN full access and S3 full access to the CDK staging bucket, it grants permission to do everything through CloudFormation.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:CalledVia": [
                        "cloudformation.amazonaws.com"
                    ]
                }
            },
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::cdktoolkit-stagingbucket-*",
            "Effect": "Allow"
        }
    ]
}

    You might want to add some explicit denies for things you don't want to allow.

    Also, be aware that above condition does not mean the principal is limited to things possible with CloudFormation. A potential attack vector would be to create a custom CFN resource, backed by a Lambda function. When creating resources through that custom resource you then could do anything in the Lambda, because it is triggered via CloudFormation.

    0 讨论(0)
  • 滥情空心
    2020-12-28 19:21

    Since I couldn't find any documentation anywhere I had to do some trial and error to get this to work.

    Apart from the permissions you need to create the actual resources you define in your stack, you need to give the following:

    cloudformation:DescribeStacks
cloudformation:CreateChangeSet
cloudformation:DescribeChangeSet
cloudformation:ExecuteChangeSet
cloudformation:DescribeStackEvents
cloudformation:DeleteChangeSet

    To the stack ARN you are creating, as well as the bootstrap stack:

    arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*

    You also need s3 permissions to the bucket that the boostrap added (otherwise you get that dreaded Forbidden: null error):

    s3:*Object
s3:ListBucket1
s3:GetBucketLocation

    to

    arn:aws:s3:::cdktoolkit-stagingbucket-*
    0 讨论(0)
 看不清?
提交回复
热议问题