13

I'm working with AWS CDK and every time I go to create a new resource (CodePipeline, VPC, etc) I end up in the same loop of...

  • try to deploy
  • "you are not authorized to foo:CreateBar"
  • update IAM permissions
  • try to deploy
  • "you are not authorized to baz:CreateZzz"
  • update IAM permissions

...over and over again. Then the same when I cdk destroy, but for "foo:DeleteFoo"

Is there a more efficient way to determine what permissions a policy needs to perform a certain CDK action? Maybe somewhere in the documentation I can reference?

Thanks

Donald P
  • 823
  • 6
  • 22
  • Can you share an example of a specific resource with a specific error? – Amit Baranes Apr 03 '20 at 23:07
  • I think an example is any Resource that requires other resources to be created. E.g if I create a CodePipeline, the deploy will also required an IAM Role and an IAM Policy, which CDK will attempt to create. But since I didn't know that a CodePipeline Resource will create the IAM Roles and Policies the deploy will fail at "deploy-user is not permitted to perform iam:role:create", so I'll add the role, and try again, and then the next time it will fail at "iam:policy:create" etc. Does that help clarify? – Donald P Apr 05 '20 at 20:08
  • It does, but it means the end-user doesn't have permissions to add permissions into the stack, once you update the I am: role permissions you are able to deploy the stack? – Amit Baranes Apr 05 '20 at 20:54
  • 1
    Yeah if I update the permissions I am able to deploy the stack. But as the stack gets larger having it fail is time consuming, so I am wondering if there is a way to know in advance (before failed deploy) to know exactly what permissions the deploying user is going to need (via cli command, documentation, or otherwise). – Donald P Apr 05 '20 at 21:20
  • I thought about debugging CDK source code from GitHub, I found some interesting things but I don't think they are related to your issue. If CDK would raise an error about code pipeline when trying to deploy code pipeline then GitHub is the right place. but if it's only permissions to create permissions.. then it's the user problem and not CDK. – Amit Baranes Apr 05 '20 at 21:53
  • appreciate your time, thanks – Donald P Apr 06 '20 at 01:04
  • In case you get another issue with a specific resource please let me know. – Amit Baranes Apr 06 '20 at 08:11
  • 1
    There's two ways, neither of which are all that palatable, hence I'm not offering them as answer: run with admin policies or do a `cdk synth` and grep for the resource types, then build your role and policies based on the permissions required to create and destroy those resources. Refusing to simply go the admin access route I use a variety of the latter where I built up a dev role over time that covers most of my CDK use cases. Not ideal either way. – Marakai Jun 21 '20 at 03:55
  • 2
    I don't think this is feasible. Theoretically it's possible to analyze the synthesized template. Though probably this is going to take you more time than the annoying loop you described. As an alternative, allow everything that is triggered via CloudFormation and just explicitly deny what you do not want to be managed by CFN. That's not the least-privilege principle, but the don't-go-crazy-on-every-tiny-change principle. ;) Here's a policy to do that: https://stackoverflow.com/a/61102280/2753241 – udondan Jul 09 '20 at 06:10
  • appreciate the feedback, i ended up just white listing everything on a per service basis which is unfortunate but trying to keep up w/ permissions otherwise is too time consuming – Donald P Jul 09 '20 at 20:12
  • Does this answer your question? [What IAM permissions are needed to use CDK Deploy?](https://stackoverflow.com/questions/57118082/what-iam-permissions-are-needed-to-use-cdk-deploy) – quadroid Aug 20 '20 at 08:49
  • Unfortunately not, the top voted answer there says, "Apart from the permissions you need to create the actual resources", which is precisely what I am after. I think this is just a feature not supported by CDK, and I don't think there is any clearcut documentation that lists specifically which permissions are needed to create a specific resource. – Donald P Aug 28 '20 at 22:01
  • 1
    This isn't specifically a CDK problem - getting permissions right is challenging in AWS, and they can do better with their documentation. Also because the CDK is an abstraction on top of Cloudformation it makes it tougher. But as someone mentioned above if you run cdk synth and inspect the type of resource that's being created, e.g. Type: AWS::Cognito::UserPool that should give you a rough idea of the permissions you need to grant, this may be a useful reference https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html – Hom Bahrani Dec 29 '20 at 15:22
  • I am a bit late to the party, but I ran into this situation while trying to deploy my serverless app on SEED using a CI User. I ended up assigning AdministratorAccess to the user for the first run. Once the run has finished, head over to IAM -> Users -> User -> Access Adviser. It'll give you an overview of the services and actions within each service. You can then use this to build your policy and **replace the AdmininstratorAccess** policy on the user. Not ideal as the user has temporary admin access, but perhaps a trade off between security and not going crazy! – Sam Jan 17 '22 at 13:46
  • @Sam excellent information, thank you for that – Donald P Jan 28 '22 at 06:48

1 Answers1

7

Here is a script that will execute whatever you pass to it but will also capture the timestamps between what you passed it and when it finished executing and will print all the AWS API Events captured by the configured default aws user using cloudtrail. It can take like 20 minutes for the actions to show up in cloudtrail but the script will check every minute until it gets results for that time range. If no AWS api calls are made during the time range then no results will ever be returned. It's a simple script, there is no max timeout or anything.

#!/bin/bash -x

user_name=`aws sts get-caller-identity | jq -r '.Arn' | sed -e 's/user\// /g' | awk '{print $2}'`
sleep 5 # Sleep to avoid getting the sts call in our time range

start_time=`date`
sleep 1 # Sleep to avoid millisecond rounding issues

eval $@

sleep 1 # Sleep to avoid millisecond rounding issues
end_time=`date`

actions=""
while [ -z "$actions" ]; do
sleep 60
echo "Checking for events from $start_time to $end_time..."
actions=`aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=${user_name} --start-time "${start_time}"  --end-time "${end_time}" | jq -r '.Events[].CloudTrailEvent' | jq -s | jq -r '.[] | "\(.eventSource) \(.eventName)"' | sed -e 's/.amazonaws.com /:/g' | sed -e 's/[0-9]//g' | sort | uniq`
done

echo "AWS Actions Used:"
echo "$actions"

I call it get-aws-actions.sh and it requires the aws cli to be installed as well as jq. For cdk I would use it like this

./get-aws-actions.sh "cdk deploy && cdk destroy"

I'd have my admin level credentials configured as the default profile so I know the deployment will not fail because of permission issues then I use the returned results from this script to give permissions to a more specific deployment user/role for long term use. The problem you can run into is the first time you may only see a bunch of :Create* or :Add* actions but really you'll need to add all the lifecycle actions for the ones you see. So if you see dynamodb:CreateTable you'll want to make sure you also add UpdateTable and DeleteTable. If you see s3:PutBucketPolicy you'll also want s3:DeleteBucketPolicy.

To be honest, any services that don't deal with API calls that allow access to data, I will just do <service>:*. An example might be ECS. I can't use ECS API calls to call an API do anything to a container that CloudFormation won't need to do to manage the service. So for that service if I knew I was doing containers I'd just grant ecs:* on * to my deployer role. A service like s3, lambda, sqs, sns where there is data access as well as resource creation access through an API I'll need to be more deliberate with the permissions granted. My deployer role shouldn't have access to read all the data off all buckets or execute functions but it does need to create buckets and functions.

Max Schenkelberg
  • 805
  • 4
  • 5
  • dunno how I missed this one two years ago, gonna blame covid tho. Marked accepted as `most helpful` given there doesn't really seem to be a direct AWS way to accomplish what we were looking for here. Really appreciate the effort you put into the response, thank you. Some good info in the comments on the original question as well re: 'Access Adviser'. – Donald P Jan 28 '22 at 07:03