-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-eks): Support custom IAM Roles for all Lambda Functions in CDK EKS Construct Library #17339
Comments
Think we should implement a more "general" solution? I'm unsure, if allowing to pass these roles is the right way. Maybe implementing an aspect, overriding the roles is the better solution for your use case? But I am trying to solve the same "Problem". There are more roles, and I think we have to handle them i Cluster Resource Provider
=> Those roles are the default LambdaRoles extended with props.adminRole.grant(onEvent.role!, 'sts:AssumeRole');
props.adminRole.grant(isComplete.role!, 'sts:AssumeRole'); So for least privilege those permissions shouldn't be granted to the "ProviderRoles". There we have ProviderframeworkisCompleteServiceRole Those are the default lambda permissions extended with: this.onEventHandler.grantInvoke(fn);
this.isCompleteHandler.grantInvoke(fn); Then we have the ProviderwaiterstatemachineRole that is allowed to invoke role.addToPolicy(new PolicyStatement({
actions: ['lambda:InvokeFunction'],
resources: [props.isCompleteHandler.functionArn],
}));
role.addToPolicy(new PolicyStatement({
actions: ['lambda:InvokeFunction'],
resources: [props.timeoutHandler.functionArn],
})); ... ignoring the kubectl part ... So looking at the grants provided here - You won't get "less" policies? Or you would make them less least privileged. My attempt making those roles "compliant" is creating an IAM Permissions boundary and writing an aspect, mutates the IAM Roles created by cdk and appends the permissions boundary. What do you think, or how would you create your "compliant" roles. I like to know more about your use case. |
+1 |
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Hi, has anyone found a path forward with this? there are environments where role creation is not allowed. |
look into aspects - they allow manipulation of existing constructs |
thanks for the tip! if developer went down this road, they'd have to create the visitor to trap for the specific construct then write the specific logic. allowing the role assignment seems more straightforward and simpler... |
Description
Requesting a feature to allow support for specifying custom IAM Roles for all dependent Lambda Functions generated by AWS CDK EKS Construct Library's Cluster Resource Provider and Kubectl Provider.
IAM Roles generated by Cluster Resource and Kubectl Provider are:
Use Case
This allows us to create IAM Roles compliant to security guardrails put in place for the organization and pass them over to the EKS Construct Library for use vs creating multiple new IAM Roles that can not be modified using Construct Properties.
Proposed Solution
Example solution is to optionally allow specifying multiple custom IAM Roles for each usecase or consolidate them as part of one service role for cluster setup related AWS Lambda Functions. Example PR to support custom IAM Role for Kubectl Handler Lambda Function is #17196
Other information
No response
Acknowledge
The text was updated successfully, but these errors were encountered: