Apply PermissionBoundary to all bootstrap roles (for easier self-service bootstrapping under existing boundary)

[dverdonschot]

Describe the feature

PermissionBoundary is only applied to Cloudformation Execution Role when bootstrapping with option --custom-permission-boundary

cdk bootstrap --custom-permissions-boundary PermissionBoundary

The following roles currently do not get the PermissionBoundary when the Bootstrap is done with the command above:

DeploymentActionRole
FilePublishingRole
ImagePublishingRole
LookupRole

Use Case

The organisation I work for has a PermissionBoundary that enforces all roles to also be created with the PermissionBoundary.

        {
            "Sid": "RestrictRoleCreation",
            "Effect": "Deny",
            "Action": [
                "iam:CreateRole",
                "iam:UpdateRole",
                "iam:PutRolePermissionsBoundary"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "iam:PermissionsBoundary": [
                        "arn:aws:iam::*:policy/PermissionBoundary"
                    ]
                }
            }
        },

Currently we have to bootstrap CDK using a custom bootstrap-template.yaml that applies the PermissionBoundary on all other roles.
But sometimes this causes issues if someone later on runs cdk bootstrap without the template, and resources are updated without PermissionBoundary again...

Proposed Solution

Add below code to all roles created by bootstrap-template.yaml

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

I can make a PR for this if needed.

Other Information

Currently bootstrap-template.yaml only applies the below code for attaching the PermissionBoundary on CloudFormationExecutionRole:

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

v2.114.0

Environment details (OS name and version, etc.)

Ubuntu

[tim-finnigan]

Thanks for reaching out. It looks like this is a duplicate of aws/aws-cdk#12207. Can you confirm or highlight any differences between these issues?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[dverdonschot]

Sorry for responding this late, should have opened this issue after the holidays.

In the mentioned issue aws/aws-cdk#12207 it shows that you can set the permissionBoundary with --custom-permissions-boundary only for the execution role.
You can also use the cdk.json option to apply the permissionBoundary to all stacks in all resources.

But the problem is that cdk bootstrap is not performed from the stack with cdk.json, but from the cdk bootstrap command.
CDK Bootstrap will still create the other roles, like the lookup role, without the permissionBoundary.

In the company that I work there is a PermissionBoundary that has a policy to only allow IAM Role creation if that role also uses the PermissionBoundary.

We can solve it currently by using a custom bootstrap-template.yml with the permissionBoundary added to the other roles.

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

But then we always need to use that template to bootstrap CDK.

Sometimes the existing CDK bootstrap get's broken or overwritten by a user, and then the user gets stuck creating a new bootstrap when they don't have the template, because the permissionBoundary is not applied to the other roles.

If we can just get the PermissionsBoundary code snippet applied to all roles by default, then we can bootstrap with 1 command and have the permissionBoundary attached to every role.

[mrh-chain]

@tim-finnigan would it be possible to get this re-opened? I just ran into this exact issue ;)

[kswanny]

+1 same issue

[bill-bryan-bp]

+1 same issue, had to create a custom template to include as mentioned by @dverdonschot. Any chance of this being resolved, I have had to describe this fix to multiple customers at this point and it really should be a simple fix.