-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws-iam): grants support non-identity principals #1623
Conversation
Add support for non-identity Principals in grants (for example, principals that represent accounts or organization IDs). For resources that support them, the required IAM statements will be added to the resource policy. For resources that don't support them (because they don't have resource policies) an error will be thrown. Add a new `OrganizationPrincipal` principal which represents all identities in the given AWS Organization. Fixes #236.
Pre-emptive implementation FAQ Why does
|
if (!props.principal) { return true; } | ||
|
||
const addedToPrincipal = props.principal.addToPolicy(new PolicyStatement() | ||
.addActions(...props.actions) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there are not props.actions
, then the statement can (should? must?) be skipped. Same goes for resourceArns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The alternative is that that's an error. I see what you're saying, but feels like the chance for this to be a mistake is bigger than for it to be an expected use case?
@rix0rrr let us know when you want a re-review |
I need to get around to it again. But nothing majorly blocking in the reviews so far it seems. |
Ready for that re-review @eladb @RomainMuller |
throw new Error(`Either 'scope' or 'resource' must be supplied.`); | ||
} | ||
|
||
// One-iteration loop to be able to skip to end of function easily |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's wrong with using an inner function then? 🤷🏻♂️ You can return from that whenever you please.
actions, | ||
resourceArns: [ | ||
this.tableArn, | ||
new cdk.Token(() => this.hasIndex ? `${this.tableArn}/index/*` : new cdk.Aws().noValue).toString() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rebase
When we say *Principal*, we mean an entity you grant permissions to. This | ||
entity can be an AWS Service, a Role, or something more abstract such as "all | ||
users in this account" or even "all users in this organization". An | ||
*Identity* is an IAM representing a single IAM entity that can have |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"is an IAM resource representing"
resourceArns: string[]; | ||
|
||
/** | ||
* Adder to the resource policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rephrase, it's not an "adder" anymore
* Either 'scope' or 'resource' must be supplied. | ||
* | ||
* An error will be thrown if the policy could not be added to the principal, | ||
* no resource is supplied given and `skipResourcePolicy` is false. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"supplied given"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kinda feels like it should be possible to supply only resource
without resourceArns
somehow. Maybe IResourceWithPolicy
can have a property resourceArn
which will be the canonic resource ARN to be used?
* | ||
* @default Same as regular resource ARNs | ||
*/ | ||
resourceSelfArns?: string[]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't this make more sense as an enum or boolean?
do { | ||
if (!options.principal) { | ||
// tslint:disable-next-line:max-line-length | ||
scope.node.addWarning(`Could not add grant for '${options.actions}' on '${options.resourceArns}' because the principal was not available. Add the permissions by hand.`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hell yeah!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this should be a warning, but okay to start
throw new Error(`Either 'scope' or 'resource' must be supplied.`); | ||
} | ||
|
||
// One-iteration loop to be able to skip to end of function easily |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although this is creative and nice, I rather we keep all our IAM code very simple and straightforward, so it will be dead easy to maintain and reason about.
scope?: cdk.IConstruct; | ||
} | ||
|
||
export class Permissions { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something feels wrong with this and I am not sure why. Can we talk? 📲
We agreed during a chat to make grant methods output an opaque type which will be produced by our grant method. Also split out grant method into 2 flavours for the different code paths. |
identity.addToPolicy(new iam.PolicyStatement() | ||
.addAllResources() | ||
.addAction("cloudwatch:PutMetricData")); | ||
public static grantPutMetricData(principal?: iam.IPrincipal) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this return a Grant?
@@ -180,11 +181,11 @@ export class Table extends Construct { | |||
*/ | |||
public static grantListStreams(principal?: iam.IPrincipal): void { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should the awslint rule also be applied to static methods?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably. One problem with the statics is that we won't have a scope
to attach a warning to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably not the end of the world
.addResources(this.tableArn, new cdk.Token(() => this.hasIndex ? `${this.tableArn}/index/*` : new cdk.Aws().noValue).toString()) | ||
.addActions(...actions)); | ||
public grant(principal?: iam.IPrincipal, ...actions: string[]): iam.GrantResult { | ||
return iam.Permissions.grant({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was under the impression that we wanted a specific API for resources with resource policies, no?
…to huijbers/iam-refactor
…to huijbers/iam-refactor
] | ||
] | ||
} | ||
}, | ||
{ | ||
"Action": [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense that we lost these permissions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the user pulling from ECR doesn't need to create logs (they should have never have been part of that grant in the first place).
packages/@aws-cdk/aws-dynamodb-global/lib/aws-dynamodb-global.d.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-dynamodb-global/lib/dynamodb.generated.js
Outdated
Show resolved
Hide resolved
….onPonPrincipalOrResource
NuGet build error again. Seems to be getting worse? |
feat(aws-iam): grants support non-identity principals …
Add support for non-identity Principals in grants (for example,
principals that represent accounts or organization IDs). For resources
that support them, the required IAM statements will be added to the
resource policy. For resources that don't support them (because they
don't have resource policies) an error will be thrown.
Add a new
OrganizationPrincipal
principal which represents allidentities in the given AWS Organization.
Fixes #236.
Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.