Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam: add more granular grant permissions #24074

Closed
1 of 2 tasks
justinwiley opened this issue Feb 8, 2023 · 2 comments · Fixed by #24211
Closed
1 of 2 tasks

iam: add more granular grant permissions #24074

justinwiley opened this issue Feb 8, 2023 · 2 comments · Fixed by #24211
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@justinwiley
Copy link

justinwiley commented Feb 8, 2023
edited
Loading

Describe the feature

The IAM grant mechanism (grantWrite, grantRead, etc) should allow for additional parameters that can override the default permissions.

Use Case

The default permissions granted using grantWrite, grantRead etc can be overly permissive for certain usecases. For example bucket.grantWrite(principale) leads to the IAM permissions:

s3:Abort*
s3:DeleteObject*
s3:PutObject
s3:PutObjectLegalHold
s3:PutObjectRetention
s3:PutObjectTagging
s3:PutObjectVersionTagging

For certain usecases, these are overly permissive. One example is granting a principal access to a write only bucket containing an audit log; the principal shouldn't be able to delete objects.

Proposed Solution

One possible implementation:

const user = new iam.User(stack, 'audit-log-writer'))
const bucket = new s3.Bucket(this, 'audit-log-bucket', {...});
bucket.grantWrite(
  user, 
  null,
  ['s3:Abort*', 's3:DeleteObject*'] // proposed third option, which would include default actions to remove from the grant
)

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.63.2

Environment details (OS name and version, etc.)

mac os
@justinwiley justinwiley added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Feb 8, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Feb 8, 2023
@khushail
Copy link
Contributor

khushail commented Feb 8, 2023

Hi @justinwiley , thanks for reaching out and suggesting this feature request. I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization. Meanwhile, you could use Escape hatches as a workaround.

@khushail khushail added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 8, 2023
@khushail khushail assigned khushail and unassigned khushail Feb 8, 2023
@khushail khushail added the effort/small Small work item – less than a day of effort label Feb 8, 2023
@lpizzinidev lpizzinidev mentioned this issue Feb 17, 2023
Merged
lpizzinidev added a commit to lpizzinidev/aws-cdk that referenced this issue Feb 22, 2023
@lpizzinidev
Merge branch 'main' into awsgh-24074
04115e0
lpizzinidev added a commit to lpizzinidev/aws-cdk that referenced this issue Feb 23, 2023
@lpizzinidev
Merge branch 'main' into awsgh-24074
f383804
lpizzinidev added a commit to lpizzinidev/aws-cdk that referenced this issue Feb 23, 2023
@lpizzinidev
Merge branch 'main' into awsgh-24074
be95818
lpizzinidev added a commit to lpizzinidev/aws-cdk that referenced this issue Mar 1, 2023
@lpizzinidev
Merge branch 'main' into awsgh-24074
c77175d
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Mar 28, 2023
@mergify
Merge branch 'main' into awsgh-24074
3d79254
@mergify mergify bot closed this as completed in #24211 Mar 28, 2023
mergify bot pushed a commit that referenced this issue Mar 28, 2023
@lpizzinidev
feat(s3): add allowedActionPatterns parameter to grantWrite (#24211)
5b5c36f 
I've added an optional parameter `allowedActionPatterns` that will restrict the permissions to a certain list of action patterns for the `grantWrite` method.

Closes #24074 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(s3): add allowedActionPatterns parameter to grantWrite lpizzinidev/aws-cdk
2 participants
@justinwiley @khushail