cdk deployに必要な権限ってなんだ？

Transcript

1. cdk deployʹ ඞཁͳݖݶͬͯͳΜͩʁ 2023/1/25 JAWS-UG CDKࢧ෦ #5

2. Kinyo
 
 גࣜձࣾి௨ࠃࡍ৘ใαʔϏεʢISIDʣ
 ηΩϡϦςΟΤϯδχΞʢ։ൃ΋গ͠ʣ
 
 
 
 ࠓ೔ͷ಺༰ʹ͍ͭͯϒϩά΋ॻ͖·ͨ͠👉
 ʮCDK Security

   And Safety Dev Guide ΛಡΜͰΈͨʯ
 
 CDK Security And Safety Dev Guide ͷ಺༰Λࢀߟʹ͍ͯ͠·͢
 https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide
 
 CDK v2 ͷ DefaultStackSynthesizer Λ࢖͏લఏͷ࿩Ͱ͢ ࣗݾ঺հ

3. cdk deploy͢Δͱ͖ʹ AdministratorAccessΛ࢖͍ͬͯ·ͤΜ͔ʁ

4. ආ͚͍ͨ͜ͱ • CDKͰΠϯϑϥߏங͢ΔͨΊͷAWSΫϨσϯγϟϧ͕࿙Εͨͱ͖ʹɺ
 ڧ͍ݖݶ͕֎෦ʹ౉Δ͜ͱ CDK cdk deploy ։ൃऀ γεςϜ

5. CDK cdk deploy CloudFormation ϦιʔεσϓϩΠ Ϧιʔεૢ࡞Λ୲͏ͷ͸CloudFormation ඞཁͳݖݶ͸ʁ ڧ͍ݖݶ͕ඞཁ

6. ൿີ͸ cdk bootstrap ʹ͋Γ

7. cdk bootstrapͰ࡞੒͞ΕͨϦιʔεΛݟͯΈΑ͏ IAMϩʔϧ͕5ͭ࡞੒͞Ε͍ͯΔ ɾCloudFormationExecutionRole ɾDeploymentActionRole ɾFilePublishingRole ɾImagePublishingRole ɾLookupRole →কདྷͷcdk deployͰར༻͞ΕΔ

   Ξηοτ༻ͷECRϦϙδτϦ Ξηοτ༻ͷS3όέοτ

8. cdk deployͰى͍ͬͯ͜Δ͜ͱ CDK CloudFormation S3όέοτ ECRϦϙδτϦ LookupRole cdk deploy fromLookupͰ

   ϦιʔεΛࢀর͢Δ࣌ͳͲ PassRole ίϯςφΠϝʔδ ʢDockerImageAssetͳͲʣ CfnςϯϓϨʔτ΍ Lambdaؔ਺ίʔυ ࢀর ϦιʔεσϓϩΠ ࢀর File PublishingRole Image PublishingRole Deployment ActionRole CloudFormation ExecutionRole AssumeRole AssumeRole AssumeRole AssumeRole

9. ɾAWS؅ཧͷ ReadOnlyAccess ϙϦγʔ ɾΠϯϥΠϯͰ kms:Decrypt ͸ Deny ͞Ε͍ͯΔ ※Bootstrap v15

   ࣌఺

10. ɾΞηοτ༻S3όέοτ΁ͷݖݶ ɾ҉߸Խ༻KMSΩʔ΁ͷݖݶ ɾΞηοτ༻ECRϦϙδτϦ΁ͷݖݶ ※Bootstrap v15 ࣌఺

11. ɾCloudFormationͷૢ࡞ݖݶʢStackɺChangeSetʣ ɾΫϩεΞΧ΢ϯτͰPipelineͷArtifactΛૢ࡞͢ΔݖݶʢS3ͱKMSʣ ɾΞηοτ༻S3όέοτͷಡΈऔΓݖݶ ɾParameter Store͔ΒCDK bootstrapόʔδϣϯͷಡΈऔΓݖݶ ɾɹɹɹɹɹɹɹɹɹɹɹɹɹɹ ͷiam:PassRole CloudFormationExecutionRole ※Bootstrap

    v15 ࣌఺ CloudFormation ExecutionRole CloudFormation PassRole

12. AdministratorAccess ※Bootstrap v15 ࣌఺

13. ͭ·Γɺcdk deployʹඞཁͳݖݶ͸ʁ ͜ΕΒ΁ͷAssumeRoleݖݶ 🙅AssumeRoleෆཁ

14. { "Version": "2012-10-17", "Statement": [ { "Sid": "AssumeCDKRoles", "E ff

    ect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1", "arn:aws:iam::111111111111:role/cdk-hnb659fds- fi le-publishing-role-111111111111-ap-northeast-1", "arn:aws:iam::111111111111:role/cdk-hnb659fds-image-publishing-role-111111111111-ap-northeast-1", "arn:aws:iam::111111111111:role/cdk-hnb659fds-lookup-role-111111111111-ap-northeast-1" ] } ] } cdk deploy͢ΔͨΊͷ࠷খݖݶIAMϙϦγʔ ෳ਺ϦʔδϣϯʹσϓϩΠ͢Δ৔߹ɺ ϩʔϧ͸Ϧʔδϣϯ͝ͱʹ͋Δ͜ͱʹ஫ҙ

15. cdk deploy͢Δݖݶ͕ ɾAdminݖݶΛ௚઀࣋ͨͳ͍ ɾAdminݖݶΛ࣋ͭϩʔϧΛAssumeͰ͖ͳ͍ ͜ͱͰϦεΫΛݮΒ͢

16. ͞Βʹਂ۷Γ ͜ΕͰສશʁ🤔

17. ݫີͳ੍ݶ͸Ͱ͖͖ͯͳ͍ • ɹɹɹɹɹɹɹ͕CloudFormationελοΫΛ࡞Εͯɺ
 AdminݖݶΛ౉ͤΔͷͰɺCloudFormationܦ༝Ͱ͍Ζ͍ΖͰ͖ͯ͠·͏
 • ྫ͑͹ɾɾɾ • ಛఆͷ໊લͷڧݖݶͷRoleΛ࡞੒͠ɺAssume͢Δ
 ʢAssumeΛڐՄ͢Δϩʔϧ໊ΛϫΠϧυΧʔυͰࢦఆ͍ͯ͠Δ৔߹ʣ •

    ɹɹɹɹɹɹɹࣗ਎ʹڧݖݶͷϙϦγʔΛ௥Ճ͢Δ Deployment ActionRole Deployment ActionRole

18. ݫີͳ੍ݶΛ͍ͨ͠৔߹͸ɺ ɹɹɹɹͷݖݶΛߜΔ CloudFormation ExecutionRole

19. cdk bootstrapͷΦϓγϣϯͰ ɹɹɹɹɹͷݖݶΛߜΔํ๏3ͭ • --cloudformation-execution-policies … ϙϦγʔΛ্ॻ͖ • https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing •

    ؆୯ʹݖݶΛ੍ݶ͍ͨ͠৔߹ • --template … BootstrapςϯϓϨʔτΛϑϧΧελϚΠζ • https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing-extended • --custom-permissions-boundary … Permissions boundaryΛ௥Ճʢv2.54.0~ʣ • https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/README.md#cdk-bootstrap • IAMϦιʔεͷ࡞੒ΛڐՄͭͭ͠ݖݶঢ֨Λ๷͍͗ͨ৔߹ CloudFormation ExecutionRole

20. ݁࿦ bootstrapͨ͠ޙ͸ cdk deploy͢ΔݖݶΛݟ௚ͦ͏