Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app-staging-synthesizer: asset roles should assume deploy roles when bootstrapped roles are used #27202

Open
kaizencc opened this issue Sep 19, 2023 · 0 comments
Open

app-staging-synthesizer: asset roles should assume deploy roles when bootstrapped roles are used #27202

kaizencc opened this issue Sep 19, 2023 · 0 comments
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@kaizencc
Copy link
Contributor

Describe the bug

Creating the file role currently looks like this, and the problem is that everyone in the account can assume this file role, and write to that S3 bucket. If the deploy role is provided we can use that instead.

private ensureFileRole() {
    if (this.providedFileRole) {
      // Override
      this.fileRoleManifestArn = this.providedFileRole._arnForCloudAssembly();
      const cfnArn = this.providedFileRole._arnForCloudFormation();
      this.fileRole = cfnArn ? iam.Role.fromRoleArn(this, 'CdkFileRole', cfnArn) : undefined;
      return;
    }

    const roleName = this.fileRoleName;
    this.fileRole = new iam.Role(this, 'CdkFileRole', {
      roleName,
      assumedBy: new iam.AccountPrincipal(this.account),
    });

    this.fileRoleManifestArn = Stack.of(this).formatArn({
      partition: '${AWS::Partition}',
      region: '', // iam is global
      service: 'iam',
      resource: 'role',
      resourceName: roleName,
      arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
    });
  }

The workaround to this is to just supply your own file role in this.providedFileRoles

Expected Behavior

n/a

Current Behavior

n/a

Reproduction Steps

n/a

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

latest

Framework Version

No response

Node.js Version

Node 18

OS

Mac

Language

Typescript

Language Version

No response

Other information

No response
@kaizencc kaizencc added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. p2 effort/small Small work item – less than a day of effort @aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package and removed needs-triage This issue or PR still needs to be triaged. labels Sep 19, 2023
@github-actions github-actions bot mentioned this issue Oct 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kaizencc