feat(aws-iam): Add permissionsBoundary to IAM Role L2 construct #2919
Conversation
robertd
force-pushed
the
iam-role-add-permissions-boundary
branch
from
9244fbf to
9c2b7af
Compare
| * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html | ||
| */ | ||
|
|
||
| readonly permissionsBoundary?: string; |
robertd
force-pushed
the
iam-role-add-permissions-boundary
branch
from
9c2b7af to
cf1a17f
Compare
|
@eladb I'm going to need a bit of help with this PR. I can't figure out why |
robertd
force-pushed
the
iam-role-add-permissions-boundary
branch
4 times, most recently
from
e4851b9 to
6fe42ee
Compare
robertd
force-pushed
the
iam-role-add-permissions-boundary
branch
from
6fe42ee to
9891b25
Compare
|
@eladb @rix0rrr I've taken a stab at this. It needs a review. One can now pass permissions boundary policy in L2 role construct. I apologize for so many forced pushes, but master has been somewhat of a moving target lately :). I'm open for feedback. Few things to consider. I was not able to figure out how to create |
| * | ||
| * @default - No permissions boundaries required. | ||
| */ | ||
| readonly permissionsBoundary?: IPolicy; |
There was a problem hiding this comment.
Pretty sure this needs to be a managed policy instead of a policy. AFAIK you can not attach an inline policy as a permissions boundary. Once this proposed change is through (#2974 (comment)), customer managed policies will then also be supported.
There was a problem hiding this comment.
I created a PR for that change here #3578 so people can get some eyes on it
|
@robertd are you able to make the required changes to this PR? If not I can have a look at implementing this. |
|
Sander, go ahead ah work on PR. I don’t think i’ll have time to look on it (knee surgery).
…On Wed, Aug 7, 2019 at 6:02 PM Iain Cole ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In ***@***.***/aws-iam/lib/role.ts
<#2919 (comment)>:
> + * A permissions boundary is an advanced feature for using a managed policy
+ * to set the maximum permissions that an identity-based policy can grant to
+ * an IAM entity. An entity's permissions boundary allows it to perform only
+ * the actions that are allowed by both its identity-based policies and its
+ * permissions boundaries.
+ *
+ * You can use an AWS managed policy or a customer managed policy to set the
+ * boundary for an IAM entity (user or role). That policy limits the maximum
+ * permissions for the user or role.
+ *
+ * @link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-permissionsboundary
+ * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+ *
+ * @default - No permissions boundaries required.
+ */
+ readonly permissionsBoundary?: IPolicy;
I created a PR for that change here #3578
<#3578> so people can get some eyes on
it
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2919?email_source=notifications&email_token=AAAHWN232Y5LT3VCARBRHPDQDNPC7A5CNFSM4HZFTEEKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCA5MLCA#discussion_r311810070>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAHWNYPOZHCGXOBKHGIB5LQDNPC7ANCNFSM4HZFTEEA>
.
|
| @@ -240,6 +262,13 @@ export class Role extends Resource implements IRole { | |||
| } | |||
| return result; | |||
| } | |||
|
|
|||
| function _setPermissionsBoundary(policy?: IPolicy) { | |||
There was a problem hiding this comment.
I'd rather inline this as a ternary.
| * | ||
| * @attribute | ||
| */ | ||
| readonly permissionsBoundary?: string; |
|
Superseded by Sander's PR. |
Closes #2915
@eladb @rix0rrr @skinny85 Please review... I hope I did it right 😅.
Pull Request Checklist
designfolderBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.