-
Notifications
You must be signed in to change notification settings - Fork 418
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Allow assume role chaining with federated users (source identity and session tags) #5359
base: mainline
Are you sure you want to change the base?
Conversation
…session tags) Depending on the original credentials used to invoke the copilot cli command, the EnvManagerRole can only be assumed when it allows the original source identity and transitive tags to be passed to the session. These permissions should not be of harm when the user's session does not have a source identity or transitive tags.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change looks good to me overall! Thank you for contributing! Have three general feedback. Can you
- update the title/commit with https://conventionalcomments.org/ (this should be a feature)
- test the code locally to make sure you would be able to assume env manager role with federated users
- make this feature configurable and enabled by default. It would be nice if you can add a flag to
env init
for this
Action: | ||
- sts:AssumeRole | ||
- sts:SetSourceIdentity | ||
- stsTagSession |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- stsTagSession | |
- sts: TagSession |
Sorry for not coming back to you any sooner :( Thanks for your comments!
Sure thing :)
Will do that with the addition of 3.
Sounds like a good idea. I would probably go in the following way: Have an option in the environment configuration. When initing an environment, there is a flag to enable adding the necessary permissions. In that way, the default (e.g. for existing environments) can stay the same, hence not adding these additional permissions. |
🍕 Here are the new binary sizes!
|
@iamhopaul123 Sorry for all the noise here with the single commits 🙈
Thanks for all your time reviewing this and investing the time to discuss this topic with me :) |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## mainline #5359 +/- ##
=========================================
Coverage 69.91% 69.92%
=========================================
Files 299 299
Lines 45484 45508 +24
Branches 295 295
=========================================
+ Hits 31799 31820 +21
- Misses 12140 12143 +3
Partials 1545 1545
☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much for addressing my previous feedback. Left some suggestion regarding the scope of this feature but overall logic looks good to me!
@@ -485,6 +485,7 @@ func (o *initOpts) deployEnv() error { | |||
// Set the application name from app init to the env init command, and check whether a flag has been passed for envName. | |||
initEnvCmd.appName = *o.appName | |||
initEnvCmd.name = o.initVars.envName | |||
initEnvCmd.federatedSession = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should probably keep it consistent with the default value in env init
which is false
. I would assume relatively few users would need to set this and they could use env init
instead of init
.
# - sts:SetSourceIdentity | ||
# - sts:TagSession | ||
{{- else}} | ||
additionalAssumeRolePermissions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This field name seems a little too specific. We usually have some level of abstraction for our manifest field because otherwise the experience will be almost the same as yaml override.
I would prefer not to add any additional field to the env manifest for now and only keep it as a flag at env init
. Ideally we wouldn't need that flag either if we have a mechanism allowing users to customize their env bootstrap stack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally we wouldn't need that flag either if we have a mechanism allowing users to customize their env bootstrap stack.
With that in mind, I would agree that it would probably make a lot more sense to allow overrides for the bootstrap stack as well. Having a flag, which would change the stack only for one time wouldn't make much sense, as the changes would be overridden once the first env deployment is started.
Let me look into what would be needed to allow env overrides to kick in when bootstrapping an environment 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would take much more efforts for allowing env bootstrap override, so feel free to start from a flag if you think it's too overwhelming!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for not coming back to you any sooner :(
I looked into the override stuff and from the concept point of view, I'm a bit stuck I think. YamlPatch would, iirc, error out, if there is an add/replace/remove statement for a yaml path, which does not exist. That means, that we couldn't easily re-use the existing overrides for environments, but would instead need to have an additional overrides location for the env bootstrap stack.
From my point of view this doesn't sound that nice at all, given that the overrides would only be used once during bootstrap.
This issue does not exist in CDK, at least the user could workaround that by checking if a resource actually exists before doing things in CDK code.
Based on that, I would think that having a command line option only is probably the best way to go forward. Would you agree with this? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @FlorianSW. Sorry for getting back late. I was on vacation before.
I would think that having a command line option only is probably the best way to go forward. Would you agree with this? 🤔
I would agree if we are only adding an extra optional flag to the env init
.
Depending on the original credentials used to invoke the copilot cli command, the EnvManagerRole can only be assumed when it allows the original source identity and transitive tags to be passed to the session.
These permissions should not be of harm when the user's session does not have a source identity or transitive tags.
Fixes #5358
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.