Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Add PermissionsBoundary as option for role that gets created #27

Open
cervantek opened this issue Dec 6, 2019 · 6 comments
Labels
enhancement New feature or request

Comments

@cervantek
Copy link

For SAM functions, you are able to specify a Permissions Boundary to use for the role that gets created automatically by Serverless::Function resources. However, there is no way for us as a consumer of these Serverless Applications to specify that to you.

Could you please add an optional parameter to the Serverless Application that allows us to specify a PermissionsBoundary?

If your App is passed PermissionsBoundary as a parameter by a user, simply pass it down to the Serverless::Function it creates. This should only be a few line change to your template.

We (and others likely) cannot take advantage of your Serverless Apps due being required (by a standard/policy within our organizations) to always specify a PermissionsBoundary on any role we create (or is created for us by things like SAM).

@joebaro joebaro added the enhancement New feature or request label May 5, 2021
@joebaro
Copy link

joebaro commented May 5, 2021

Thank you for your feedback. We have noted this as a feature request.

@ArielPrevu3D
Copy link

ArielPrevu3D commented Sep 22, 2021

Any plans on making this happen? Currently, the rotation applications are only useful if you want to give developers all access to the AWS account, which is often not possible.

@markussiebert
Copy link

Need this to! Would implement this, but need to know where the template resides

@Saberos
Copy link

Saberos commented Jan 19, 2023

Are the SAM templates available anywhere to provide PRs on?

@asifma
Copy link

asifma commented Oct 24, 2023

Can you please apply Globals.Function.PermissionsBoundary to the SAM Template that gets created. This is supported by SAM. You can use this template as reference: https://github.com/aws-samples/cloudfront-authorization-at-edge/blob/master/template.yaml

I would have create a PR, but cant find the yaml template available anywhere in this repo

Screenshot 2023-10-24 at 11 10 51 AM

Screenshot 2023-10-24 at 11 11 06 AM

@asifma
Copy link

asifma commented Oct 27, 2023

Below is a proposed template for: SecretsManagerRDSPostgreSQLRotationSingleUser — version 1.1.384

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
  endpoint:
    Type: String
    Description: The Secrets Manager endpoint to use.
  functionName:
    Type: String
    Description: The name of the Lambda function.
  invokingServicePrincipal:
    Type: String
    Description: The service principal for the invoking service.
    Default: secretsmanager.amazonaws.com
  vpcSubnetIds:
    Type: CommaDelimitedList
    Description: A comma-separated list of VPC subnet IDs applied to the database
      network.
    Default: ''
  vpcSecurityGroupIds:
    Type: CommaDelimitedList
    Description: A comma-separated list of security group IDs applied to the database.
    Default: ''
  kmsKeyArn:
    Type: String
    Description: The ARN of the KMS key that Secrets Manager uses to encrypt the secret.
    Default: ''
  excludeCharacters:
    Type: String
    Description: A string of the characters that you don't want in the password.
    Default: :/@"'\
  runtime:
    Type: String
    Description: The python runtime associated with the Lambda function
    Default: python3.9
  PermissionsBoundaryPolicyArn:
    Description: ARN of a boundary policy if your organisation uses some for roles, optional.
    Type: String
    Default: ""
Conditions:
  AddVpcConfig:
    Fn::And:
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSubnetIds
    - Fn::Not:
      - Fn::Equals:
        - ''
        - Fn::Join:
          - ''
          - Ref: vpcSecurityGroupIds
  KmsKeyArnExists:
    Fn::Not:
    - Fn::Equals:
      - ''
      - Ref: kmsKeyArn
  ApplyPermissionsBoundary:
    !Not [!Equals [!Ref PermissionsBoundaryPolicyArn, ""]]

Resources:
  SecretsManagerRDSPostgreSQLRotationSingleUser:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName:
        Ref: functionName
      Description: Rotates a Secrets Manager secret for Amazon RDS PostgreSQL credentials
        using the single user rotation strategy.
      Handler: lambda_function.lambda_handler
      Runtime:
        Ref: runtime
      CodeUri:
        Bucket: <%REPO_BUCKET%>
        Key: 8494558e-a7c7-479b-b855-6a42fa99ba3f
      AutoPublishCodeSha256: b6db215a045dfe41d9838f1236af55b0de0d491d7d03b67d78ebde754eeadaae
      Timeout: 30
      PermissionsBoundary: !If
        - ApplyPermissionsBoundary
        - !Ref PermissionsBoundaryPolicyArn
        - !Ref AWS::NoValue
      Policies:
      - VPCAccessPolicy: {}
      - AWSSecretsManagerRotationPolicy:
          FunctionName:
            Ref: functionName
      - Fn::If:
        - KmsKeyArnExists
        - Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - kms:Decrypt
            - kms:DescribeKey
            - kms:GenerateDataKey
            Resource:
              Ref: kmsKeyArn
        - Ref: AWS::NoValue
      Environment:
        Variables:
          SECRETS_MANAGER_ENDPOINT:
            Ref: endpoint
          EXCLUDE_CHARACTERS:
            Ref: excludeCharacters
      VpcConfig:
        Fn::If:
        - AddVpcConfig
        - SubnetIds:
            Ref: vpcSubnetIds
          SecurityGroupIds:
            Ref: vpcSecurityGroupIds
        - Ref: AWS::NoValue
      Tags:
        SecretsManagerLambda: Rotation
  LambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
        - SecretsManagerRDSPostgreSQLRotationSingleUser
        - Arn
      Principal:
        Ref: invokingServicePrincipal
      SourceAccount:
        Ref: AWS::AccountId
Outputs:
  RotationLambdaARN:
    Description: The ARN of the rotation lambda
    Value:
      Fn::GetAtt:
      - SecretsManagerRDSPostgreSQLRotationSingleUser
      - Arn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants