Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow all sts options for roles assumed by the cli #31089

Draft
wants to merge 89 commits into
base: main
Choose a base branch
from
Draft

feat: allow all sts options for roles assumed by the cli #31089

wants to merge 89 commits into from

Conversation

sumupitchayan
Copy link
Contributor

@sumupitchayan sumupitchayan commented Aug 12, 2024
edited by iliapolo
Loading

Allow passing all STS options to assume role configuration for various CDK roles.

The following PR description focuses on Session Tags because it was originally the only option we wanted to add support to. After some thought, we decided to allow all available STS options via a transparent pass-through.

Prerequisites

Issue # (if applicable)

Closes #26157
Fixes #22535

Reason for this change

Enabling ABAC via STS session tags. From the AWS docs:

“Session Tags are key-value pair attributes that you pass when you assume an IAM role or federate a user in AWS STS. You do this by making an AWS CLI or AWS API request through AWS STS or through your identity provider (IdP). When you use AWS STS to request temporary security credentials, you generate a session. Sessions expire and have credentials, such as an access key pair and a session token. When you use the session credentials to make a subsequent request, the request context includes the aws:PrincipalTag context key. You can use the aws:PrincipalTag key in the Condition element of your policies to allow or deny access based on those tags”

Description of changes

The CDK creates 4 IAM roles during bootstrap. It then assumes these roles at various phases of the deployment.

  • DeploymentActionRole: Assumed when invoking CloudFormation operations such as Deploy and DescribeStackEvents.
  • FilePublishingRole: Assumed when file assets are uploaded to the bootstrap bucket.
  • ImagePublishingRole: Assumed when docker images are published to the bootstrap ECR registry.
  • LookupRole: Assumed while performing context lookups.

Each of these roles should be assumable with their own specific session tags, as they server different purposes.

Note: The CloudFormationExecutionRole is also created during bootstrap, but the CLI never assumes it, therefore it doesn't need session tags support.

Session tags for each role will be configurable via synthesizer properties (similarly to how externalId is exposed) both for the DefaultStackSynthesizer, and for a custom synthesizer extending the StackSynthesizer class. The new properties will propagate down and will eventually be written to the cloud assembly.

+ manifest.json

{
  "version": "36.0.0",
  "artifacts": {
    "MyStack.assets": {
      "type": "cdk:asset-manifest",
      "properties": {
        "file": "SeshTagsManifestStack.assets.json",
        "requiresBootstrapStackVersion": 6,
        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
      }
    },
    "MyStack": {
      "type": "aws:cloudformation:stack",
      "environment": "aws://unknown-account/unknown-region",
      "properties": {
        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
          "assumeRoleAdditionalOptions": {
            "Tags": < deployRoleSessionTags > 
          }
        "lookupRole": {
          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
          "requiresBootstrapStackVersion": 8,
          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
          "assumeRoleAdditionalOptions": {
            "Tags": < lookupRoleSessionTags > 
          }
        }
      },

+ assets.json

{
  "version": "36.0.0",
  "files": {
    "9ebfd704f02f99b2711998e6435822b0dbed6e80dcac7e75f339fe894861ac20": {
      "source": {
        "path": "mystack.template.json",
        "packaging": "file"
      },
      "destinations": {
        "current_account-current_region": {
          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
          "assumeRoleAdditionalOptions": {
             "Tags": < fileAssetPublishingRoleSessionTags >
           }
        }
      }
    }
  },
  "dockerImages": {
    "dockerHash": {
      "source": {
        "directory": "."
      },
      "destinations": {
        "current_account-current_region": {
          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-image-publishing-role-${AWS::AccountId}-${AWS::Region}"
          "assumeRoleAdditionalOptions": {
            "Tags": < imageAssetPublishingRoleSessionTags >
          }
        }
      }
    }
  }
}

Description of how you validated changes

  • CLI integration tests.
  • CLI and framework unit tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@sumupitchayan
WIP: add placeholder integ test
4f7a820 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
WIP: CLI bootstrap integ test is passing, even though it should be fa…
d02e7d2 
…iling with tags in custom bootstrap

Signed-off-by: Sumu <sumughan@amazon.com>
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 labels Aug 12, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team August 12, 2024 18:49
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 12, 2024
@sumupitchayan
cleanup comments in app.js
e50a57c 
Signed-off-by: Sumu <sumughan@amazon.com>
aws-cdk-automation
aws-cdk-automation requested changes Aug 12, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@sumupitchayan
Integ test now 'successfully' fails as intended; switched session tag…
9f2e54b 
…s to cfnexecutionrole instead of deployrole

Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
add principaltag to deployrole policy
da3ee2b 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
WIP: make framework changes
2720e81 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
WIP: CLI changes in sdk-provider
47e947b 
Signed-off-by: Sumu <sumughan@amazon.com>
@aws-cdk-automation aws-cdk-automation added the pr/needs-cli-test-run This PR needs CLI tests run against it. label Aug 13, 2024
@sumupitchayan
Integ test successfully failing
35a2c86 
Signed-off-by: Sumu <sumughan@amazon.com>
@sumupitchayan
add tags to lambda stack
53a70ee 
Signed-off-by: Sumu <sumughan@amazon.com>
mergify bot pushed a commit to cdklabs/cloud-assembly-schema that referenced this pull request Sep 17, 2024
@sumupitchayan
feat: additional options when assuming roles (#33)
d3ee265 
Required to implement [session tags](aws/aws-cdk#26157) and a prerequisite to aws/aws-cdk#31089.
mergify bot pushed a commit to cdklabs/cdk-assets that referenced this pull request Sep 19, 2024
@sumupitchayan
feat: additional options when assuming publishing roles (#40)
cef9267 
Required to implement [session tags](aws/aws-cdk#26157) and a prerequisite to aws/aws-cdk#31089.

### Notes

- Requires cdklabs/cloud-assembly-schema#33 to be merged first.
@iliapolo iliapolo added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Sep 19, 2024
@github-actions github-actions bot added bug This issue is a bug. and removed feature-request A feature should be added or improved. labels Sep 20, 2024
iliapolo
iliapolo reviewed Sep 20, 2024
View reviewed changes
packages/@aws-cdk/cx-api/FEATURE_FLAGS.md Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is a duplicate of https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md and should never have been committed.

@aws-cdk-automation
Copy link
Collaborator

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

@aws-cdk-automation
Copy link
Collaborator

The pull request linter fails with the following errors:

❌ CLI code has changed. A maintainer must run the code through the testing pipeline (git fetch origin pull/31089/head && git push -f origin FETCH_HEAD:test-main-pipeline), then add the 'pr-linter/cli-integ-tested' label when the pipeline succeeds.

PRs must pass status checks before we can provide a meaningful review.

If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing Exemption Request and/or Clarification Request.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 6e08d60
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgarvis cgarvis cgarvis left review comments

@rix0rrr rix0rrr rix0rrr left review comments

@iliapolo iliapolo iliapolo requested changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 pr/needs-cli-test-run This PR needs CLI tests run against it. pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Milestone
No milestone
5 participants
@sumupitchayan @rix0rrr @iliapolo @aws-cdk-automation @cgarvis