-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add iam role permission boundaries #7319
Conversation
Codecov Report
@@ Coverage Diff @@
## master #7319 +/- ##
=========================================
Coverage ? 87.88%
=========================================
Files ? 240
Lines ? 8854
Branches ? 0
=========================================
Hits ? 7781
Misses ? 1073
Partials ? 0
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @thomaschaaf, looks great. I've just added few minor suggestions, and we should be good to go
@@ -54,6 +54,7 @@ provider: | |||
key2: value2 | |||
deploymentPrefix: serverless # The S3 prefix under which deployed artifacts should be stored. Default is serverless | |||
role: arn:aws:iam::XXXXXX:role/role # Overwrite the default IAM role which is used for all functions | |||
permissionsBoundary: arn:aws:iam::XXXXXX:policy/policy # ARN of an Permissions Boundary for the role. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe let's rename it to rolePermissionsBoundary
(to correlate it more with role
setting, as otherwise we also have cfnRole
, provider.logs.restApi.role
etc, even though in other cases we never construct the role)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Done
@@ -69,6 +69,11 @@ module.exports = { | |||
); | |||
iamRoleLambdaExecutionTemplate.Properties.Path = this.provider.naming.getRolePath(); | |||
iamRoleLambdaExecutionTemplate.Properties.RoleName = this.provider.naming.getRoleName(); | |||
|
|||
if ('permissionsBoundary' in this.serverless.service.provider) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should accepty only truthy values, so let's do:
if (this.serverless.service.provider.permissionsBoundary) {
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@medikoo I have made the requested changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thank you @thomaschaaf
What did you implement
Added support for permission boundaries: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
Is this ready for review?: YES
Is it a breaking change?: NO