Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-iam: Make IAM.Role.defaultPolicy public #26611

Open
2 tasks
mainframenzo opened this issue Aug 2, 2023 · 1 comment
Open
2 tasks

aws-iam: Make IAM.Role.defaultPolicy public #26611

mainframenzo opened this issue Aug 2, 2023 · 1 comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@mainframenzo
Copy link

mainframenzo commented Aug 2, 2023
edited
Loading

Describe the feature

I am trying to modify the defaultPolicy in the IAM.Role construct. The default policy is a great feature - I don't have to worry too much about base permissions when instantiating constructs that manage them, etc. However, I should be able to modify any CloudFormation that gets created by the CDK easily, and I can't seem to with defaultPolicy being private. Please make this public!

Use Case

As one use-case, I'm trying to add Cfn metadata (not CDK Cfn metadata) because I want to use cfn_nag and not CDK nag to remediate some issues in a CICD scanning step (note that below is not possible today):

const cfnPolicy = buildProject.role?.defaultPolicy?.node.defaultChild as IAM.CfnPolicy;
cfnPolicy.addMetadata('cfn_nag', {
  'rules_to_suppress': [...]
});

For this particular use-case, I assign some additional permissions to a CodeBuild project, then try to cfn_nag remediate the role of the CodeBuild project permissions:

const buildProject = new CodeBuild.PipelineProject(this, 'action', ...);
buildProject.addToRolePolicy(...); 

const cfnRole = buildProject.role?.node.defaultChild as IAM.CfnRole;
cfnRole.addMetadata('cfn_nag', {
  'rules_to_suppress': [..]
});

The CloudFormation template has my new permissions under the defaultPolicy, but my metadata shows up under a referenced role, which cfn_nag doesn't seem to care for as remediating, which is just one reason I want access to the defaultPolicy:

stacknamemyroleconstructIAMRole4AA71546:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          ...
      ManagedPolicyArns:
        ...
    Metadata:
      aws:cdk:path: stack-name/root-construct/my-role-construct/IAMRole/Resource
      cfn_nag:
        rules_to_suppress:
          - ...
  stacknamemyroleconstructIAMRoleDefaultPolicyC3A13125:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          ...
      PolicyName: stacknamemyroleconstructIAMRoleDefaultPolicyC3A13125
      Roles:
        - Ref: stacknamemyroleconstructIAMRole4AA71546
    Metadata:
      aws:cdk:path: stack-name/root-construct/my-role-construct/IAMRole/DefaultPolicy/Resource

Proposed Solution

Just make the private defaultPolicy field public. It's my template, darn it! :)

Other Information

Open to other work-arounds.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.89.0

Environment details (OS name and version, etc.)

All
@mainframenzo mainframenzo added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 2, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 2, 2023
@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 3, 2023
@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
@meniluca
Copy link

I am in a desperate need of this. Currently when enabling logRetention in lambdas cfn constructs, a default policy is created for the role (even if you provide one with the logRetentionRole parameter) with the following:

"PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "logs:DeleteRetentionPolicy",
        "logs:PutRetentionPolicy"
       ],
       "Effect": "Allow",
       "Resource": "*"
      }
     ],
     "Version": "2012-10-17"
    },

Which is breaking the cdk-nag rule set on my project. There is no way I can add a suppression to that policy without having that field public.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @meniluca @mainframenzo