Least Privilege Permissions to run cdk bootstrap #21937
Comments
sriharshakns
added
feature-request
|
This would be great for the getting started page and/or the bootstrapping page in our devguide @jerry-aws I'm not sure how necessary all the permissions you've listed here are @sriharshakns, but thanks for the work you've put in for this so far! I don't think you'll need |
peterwoodworth
added
p2
effort/small
|
I'd like to add this information to the Developer Guide but I'll seek a more canonical answer from our core developers. I also need to make sure there's a process to ensure it doesn't go stale. |
|
Could we have a Aws managed Cdk bootstrap Core policy |
|
Recent versions of CDK now need |
|
Is everybody aware that this block: Effectively is a privilege escalation vector?
|
|
At the time of writing this comment and with the most recent version of So now the full policy becomes: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:GetTemplate"
],
"Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
},
{
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:policy/*",
"arn:aws:iam::*:role/cdk-*"
]
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::cdk-*"
]
},
{
"Action": [
"ssm:DeleteParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:*:parameter/cdk-bootstrap/*"
]
},
{
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:SetRepositoryPolicy",
"ecr:PutLifecyclePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ecr:*:*:repository/cdk-*"
]
}
]
} |
|
I got stuck this issue today. This topic is life saver for me :-) Update.
|
|
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
|
You also need the |
|
Another missing one is |
Describe the feature
Provide either a List of necessary permissions in the docs or an AWS Managed Role to perform cdk bootstrap using the command "cdk bootstrap".
It is very difficult to comply with the principle of minimum least privilege when bootstrapping with CDK as all the operations and permissions needed are not clearly listed. The --show-template flag only shows the changes that are going to happen, but not the list of actions needed to produce those changes.
Use Case
To provide the User with the minimum required permissions to only run the "cdk bootstrap" command successfully.
Proposed Solution
I think it would be useful to have a clear list of minimum permissions needed to run the bootstrap or to have an AWS managed role with these permissions.
Other Information
I found that the User with the following policy attached is able to bootstrap the environment successfully. User credentials were given using "aws configure".
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudformation:CreateChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:ExecuteChangeSet", "cloudformation:GetTemplate" ], "Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*", "Effect": "Allow", "Sid": "CloudFormationPermissions" }, { "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:PutRolePolicy" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:policy/*", "arn:aws:iam::*:role/cdk-*" ] }, { "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketVersioning", "s3:PutEncryptionConfiguration" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::cdk-*" ] }, { "Action": [ "ssm:DeleteParameter", "ssm:GetParameter", "ssm:GetParameters", "ssm:PutParameter" ], "Effect": "Allow", "Resource": [ "arn:aws:ssm:*:*:parameter/cdk-bootstrap/*" ] }, { "Action": [ "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:DescribeRepositories", "ecr:SetRepositoryPolicy" ], "Effect": "Allow", "Resource": [ "arn:aws:ecr:*:*:repository/cdk-*" ] } ] }Acknowledgements
CDK version used
2.39.1
Environment details (OS name and version, etc.)
Amazon Linux 2 (Cloud9 Environment)
The text was updated successfully, but these errors were encountered: