-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(scheduler-targets-alpha): scope down permissions for sqs and kinesis stream targets #32122
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #32122 +/- ##
=======================================
Coverage 77.19% 77.19%
=======================================
Files 105 105
Lines 7164 7164
Branches 1311 1311
=======================================
Hits 5530 5530
Misses 1454 1454
Partials 180 180
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Thanks Grace, changes are looking good, though I see there are some assertions added to integration tests, before approving want to confirm if we've also verified it in console that reducing these permissions is not affecting the functionality. |
Thanks Shikha! Yes I deployed stacks from integ tests locally and verified in the console the schedule successfully invokes the targets (i.e. message is received by SQS queue and record is received by Kinesis stream). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
156e38b
to
8b1e662
Compare
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Tracking #31785
Reason for this change
We want to enforce principle of least privilege when granting target actions to the scheduler execution role. From the Scheduler docs, only
kinesis:PutRecord
andsqs:SendMessage
are required. Previously we were using built-in grant methods for these targets that granted additional permissions. If wider permissions are needed the user can always provide their own IAM role for the scheduler to use.KMS permissions references from service docs:
Description of changes
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
BREAKING CHANGE: Extra permissions are removed from Schedule execution role for SQS and Kinesis Stream schedules.