The Niche of CDK Grant オブジェクトって何者？/the-niche-of-cdk-what-isgrant-object

by hassaku63

Slide 1

Slide 1 text

The Niche of CDK Grant ΦϒδΣΫτͬͯԿऀʁ 2025/07/11 @hassaku_63 AWS CDK Conference Japan 2025 presented by JAWS-UG

Slide 2

Slide 2 text

݁࿦ Grant ΦϒδΣΫτͱ͸ʁ • grantXXX ϝιουʹڞ௨͢Δ໭Γ஋ͷܕʢҰ෦ྫ֎͋ΓʣͰ͋Γɺ಺෦࣮૷Ͱ࢖ΘΕ͍ͯΔܕ • ʮڐՄΛग़͢ओମʯʮڐՄΛड͚औΔ۩৅ʯ͔Βಠཱͨ͠ʮ෇༩͢Δݖݶʯͷ֓೦Λநग़ͨ͠΋ͷ • ݖݶ෇༩ͷ۩৅͕ΞΠσϯςΟςΟϕʔεͰ͋Δ͔ʗϦιʔεϕʔεͰ͋Δ͔ɹ͔Β΋ಠཱͨ֓͠೦ʢର֎తʹ͸ʣ (ex. ಛఆͷ Service Role ΁ͷݖݶ෇༩΍ɺS3 Public Access ͷઃఆ) ։ൃऀ͸ Grant ͷଘࡏΛҙࣝ͢Δඞཁ͕͋Δ͔ʁ • ௨ৗͷ IaC ςϯϓϨʔτ։ൃʹ͓͍ͯ͸ෆཁɻҙࣝతʹѻ͏΂͖ػձ͸ʢଟ෼ʣͳ͍ • ؔ࿈͢ΔΠϯλϑΣʔεͷ IGrantable ͷଘࡏ͚ͩย۱ʹஔ͍͓ͯ͘ͱΑ͍͔΋ • grantXXX ܥϝιουΛࣗ࡞͢Δ༻ࣄ͕͋Δਓ͸ɺ஌͓ͬͯ͘ͱศརʢ͔΋͠Εͳ͍ʣ

Slide 3

Slide 3 text

ࠓ೔஻Δ͜ͱ 1. grantXXX ϝιουͱɺGrant ΦϒδΣΫτ / IGrantable ΠϯλϑΣʔε 2. ͲΜͳ༻ࣄΛ࣋ͭਓ͕ɺGrant Λҙࣝ͢Δͱྑ͍ʁ 3. ࢖༻ྫ 1. aws/aws-cdk ͷ಺෦࣮૷ΑΓ 2.खݩͰಈ͔ͤΔίʔυͷ঺հ ʢ஫ʣͨͿΜɺօ͞Μͷ໌೔͔Βͷ࣮຿ʹ͸໾ཱͪ·ͤΜ

Slide 4

Slide 4 text

GrantXXX ϝιουͱɺ Grant / IGrantable

Slide 5

Slide 5 text

grantXXX ϝιουͷΠϝʔδ myConstruct . grantXXX (target, options);

Slide 6

Slide 6 text

grantXXX ϝιουͷΠϝʔδ myConstruct . grantXXX (target, options); ϨγʔόΦϒδΣΫτ ʢओޠʣ

Slide 7

Slide 7 text

grantXXX ϝιουͷΠϝʔδ myConstruct . grantXXX (target, options); ϨγʔόΦϒδΣΫτ ʢओޠʣ ϝιουʢಈࢺ + ໨తޠʣ

Slide 8

Slide 8 text

grantXXX ϝιουͷΠϝʔδ myConstruct . grantXXX (target, options); ϨγʔόΦϒδΣΫτ ʢओޠʣ Ҿ਺ʢ໨తޠ2ʣ ϝιουʢಈࢺ + ໨తޠʣ

Slide 9

Slide 9 text

grantXXX ϝιουͷΠϝʔδ myConstruct . grantXXX (target, options); ϨγʔόΦϒδΣΫτ ʢओޠʣ Ҿ਺ʢ໨తޠ2ʣ ϝιουʢಈࢺ + ໨తޠʣ → myConstruct grants XXX permission to target

Slide 10

Slide 10 text

grantXXX ϝιουͷΠϝʔδ myConstruct . grantXXX (target, options); ϨγʔόΦϒδΣΫτ ʢओޠʣ Ҿ਺ʢ໨తޠ2ʣ ϝιουʢಈࢺ + ໨తޠʣ → myConstruct grants XXX permission to target ڐՄ͞ΕΔଆ (grantee) ͷԿ͔͠ΒͰɺiam.IGrantable ΠϯλϑΣʔεͷ࣮૷Ϋϥεܕ ※యܕతͳͷ͸ IAM Role ΍ Service Role ͷඥ͚͕ͮՄೳͳ೚ҙͷϦιʔε

Slide 11

Slide 11 text

(ex.) S3 όέοτʹର͢Δ Read ݖݶͷ෇༩ class Bucket - public grantRead(identity: IGrantable, objectsKeyPattern?: any): Grant myBucket myFunction ͓લ (IGrantable) ʹ ࢲΛ Read ͢Δ ڐՄΛ΍Ζ͏ ʮڐՄ͞ΕΔʯଆͷԿ͔͠Β = IGrantable ͷ࣮૷Ϋϥε ※಺෦తʹ͸ɺFunction ʹඥͮ͘ϓϦϯγύϧͰ͋Δ IAM Role (policy) ΁ͷ permission ௥Ճ͕ߦΘΕΔ

Slide 12

Slide 12 text

grantXXX ϝιουͷ࣮૷Πϝʔδ ΞΠσϯςΟςΟϕʔεͳ ݖݶ෇༩ͷ৔߹

Slide 13

Slide 13 text

grantXXX ϝιουͷ࣮૷Πϝʔδ ΞΠσϯςΟςΟϕʔεͳ ݖݶ෇༩ͷ৔߹

Slide 14

Slide 14 text

Grant ΦϒδΣΫτͬͯʁ grantXXX ͷ໋໊نଇΛ࣋ͭϝιουͷ໭Γ஋

Slide 15

Slide 15 text

Grant ΦϒδΣΫτͬͯʁ grantXXX ͷ໋໊نଇΛ࣋ͭϝιουͷ໭Γ஋ Α͘ݟΔ΍ͭ ୈҰҾ਺ʢ෇༩͢Δ૬खʣ͸ IGrantable Λ࣮૷͢Δ೚ҙͷܕ

Slide 16

Slide 16 text

Grant ΦϒδΣΫτͬͯʁ grantXXX ͷ໋໊نଇΛ࣋ͭϝιουͷ໭Γ஋ Grant ΦϒδΣΫτ (???)

Slide 17

Slide 17 text

ͲΜͳ༻ࣄΛ࣋ͭਓ͕ɺ Grant Λҙࣝ͢Δͱྑ͍ʁ

Slide 18

Slide 18 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε • CDK ίϯτϦϏϡʔλʔ • ෆಛఆ޲͚ͷڞ௨ϥΠϒϥϦ΍ Custom Construct Λ։ൃ͢Δਓ͕ɺ grantXXX ܥϝιουΛࣗ࡞͢Δ৔߹ʹҙࣝ͢Δ • ͋Δڞ༗Ϧιʔεʹର͢ΔݫີͳڐՄΛ෇༩͢Δํ๏Λఏڙ͍ͨ͠ • ڐՄΛ༩͑ΒΕΔଆ (grantee) ͷ۩৅ΛࣄલʹಛఆͰ͖ͳ͍

Slide 19

Slide 19 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε User Workload (1) User Workload (2) User Workload (n) ɾ ɾ ɾ Shared Service (ex. Πϕϯτϩάج൫) write log ೚ҙͷϫʔΫϩʔυ ෆಛఆͷΞϓϦ։ൃऀ͕ɺෆಛఆͷΞϓϦΛ ߏங͠ɺShared Service ʹॻ͖ࠐΈ ෆಛఆͷΞϓϦ͔Βͷ ॻ͖ࠐΈΛड͚෇͚Δڞ༗αʔϏε ʢྫ͑͹ɺOrg ؀ڥԼʹ͓͚Δ Log Archive ΞΧ΢ϯτͷϩάόέοτʣ

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε User Workload (1) User Workload (2) User Workload (n) ɾ ɾ ɾ Shared Service (ex. Πϕϯτϩάج൫) write log ຖ౓ಉ͡ permission ෇༩ͷ࣮૷Λ࠶ੜ࢈ ΋ͬͱγϯϓϧʹɺڞ௨Խͯ͠ɺ ؒҧ͍͕ൃੜ͠ͳ͍Α͏ʹ͍ͨ͠

Slide 22

Slide 22 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε User Workload (1) User Workload (2) User Workload (n) ɾ ɾ ɾ Shared Service (ex. Πϕϯτϩάج൫) write log ؀ڥ͝ͱͰΤϯυϙΠϯτ or ARN ͸ҟͳΔ͕ɺ ࣗ෼ࣗ਎ʹର͢Δ༻ࣄΛ࣋ͭΞϓϦ͕࣋ͭ΂͖ݖݶͷ ཁ݅͸ಉ͡ ϫʔΫϩʔυଆ͕ݖݶ෇༩ϩδοΫΛ౎౓࣮૷͢Δͷ͸ ඇޮ཰ͩ͠ɺ࣮૷ϛε͕ೖΓ͜Ή “Shared Service” Construct ʹର͢Δ “grant write” Λ ந৅Խͯ͠ɺϫʔΫϩʔυଆͰ࢖ͬͯ΋Β͏

Slide 23

Slide 23 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε Workload Stack ʢ஫ʣࡶ࣮૷ͳͷͰ ͋͘·ͰΞΠσΞͷ঺հఔ౓Ͱ

Slide 24

Slide 24 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε Workload Stack σϓϩΠ؀ڥʹԠͨ͡ ISharedService Λऔಘ ݱࡏͷ؀ڥʹରԠͨ͠ ॻ͖ࠐΈύʔϛογϣϯΛ෇༩

Slide 25

Slide 25 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε Shared Service

Slide 26

Slide 26 text

Grant Λҙࣝͨ͠Βخ͍͠ʢ͔΋͠Εͳ͍ʣ έʔε Shared Service ͜͜Ͱ௥Ճ͢΂͖ Policy Statement ͕ ෳࡶʹͳΔ৔߹͸ɺ Grant ͷѻ͍ํΛ஌͍ͬͯΔͱศར ʢಛʹɺ͜ͷػೳͷςετ༰қੑ؍఺ʣ

Slide 27

Slide 27 text

࢖༻ྫ

Slide 28

Slide 28 text

aws/aws-cdk-lib Bucket ͷجఈͰ͋Δ BucketBase Ϋϥεͷ “grantReplicationPermission” ϝιου S3 ͷϨϓϦέʔγϣϯߏ੒ʹ͓͍ͯɺϨϓϦέʔγϣϯͷ࣮ߦ࣌ʹ S3 ͕࢖༻͢Δ Service Role ʹରͯ͠ɺ ϨϓϦέʔγϣϯͷ࣮ߦʹඞཁͳݖݶΛ෇༩͢Δ΋ͷʢ࣮ଶͱͯ͠ඞཁͳݖݶ͕৭ʑ͋Δʣ ref: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#grantwbrreplicationwbrpermissionidentity-props class BucketBase { public grantReplicationPermission( identity: IGrantable, props: GrantReplicationPermissionProps ): Grant { … } }

Slide 29

Slide 29 text

aws/aws-cdk-lib PR #34138 (closes: #34119) Bucket ͷجఈͰ͋Δ BucketBase Ϋϥεͷ “grantReplicationPermission” ϝιου S3 ͷϨϓϦέʔγϣϯߏ੒ʹ͓͍ͯɺϨϓϦέʔγϣϯͷ࣮ߦ࣌ʹ S3 ͕࢖༻͢Δ Service Role ʹରͯ͠ɺ ϨϓϦέʔγϣϯͷ࣮ߦʹඞཁͳݖݶΛ෇༩͢Δ΋ͷʢ࣮ଶͱͯ͠ඞཁͳݖݶ͕৭ʑ͋Δʣ

Slide 30

Slide 30 text

aws/aws-cdk-lib packages/aws-cdk-lib/aws-s3/test/bucket.test.ts ςετέʔε “grant permissions to custom replication role” ΑΓ

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

ϓϦϯγύϧ “replicationRole” ʹର͢Δ ݖݶ෇༩ϩδοΫ͕ɺ ҙਤ௨Γͷ݁Ռʹͳͬͨ͜ͱͷݕূ

Slide 33

Slide 33 text

Example code (Gist) https://gist.github.com/hassaku63/79da57b244b3fddb48b416993376ce6c (CDK) ࣗ࡞ Construct ʹෳ߹తͳ ύʔϛογϣϯ෇༩Λߦ͏ ಠࣗͷ grant ϝιουΛ࣮૷ͯ͠ΈΔ

Slide 34

Slide 34 text

Example code (Gist) https://gist.github.com/hassaku63/79da57b244b3fddb48b416993376ce6c (CDK) ࣗ࡞ Construct ʹෳ߹తͳ ύʔϛογϣϯ෇༩Λߦ͏ ಠࣗͷ grant ϝιουΛ࣮૷ͯ͠ΈΔ

Slide 35

Slide 35 text

Point • ෳ߹తͳɺ͋Δ͍͸ݫີͳݖݶ෇༩Λ͍ͨ͠৔߹ʹ͸ grantXXX ܥϝιουΛࣗ࡞͢Δཧ༝͕͋Δ • ࣗ࡞ grantXXX ϝιουͷ಺෦Ͱ Grant.combine Λར༻ͯ͠ɺ ʮgrantXXX ʹΑΔݖݶͷ෇༩݁ՌʯΛ1ݸͷ Grant ΦϒδΣΫτʹ·ͱΊͯฦ͢ • grantXXX ϝιουͷ୯ମςετ͸ɺ໭Γ஋ͷ Grant Λௐ΂Ε͹ OK ʢ௨ৗͷ Stack/Construct ੜ੒͔Βͷ Template ϚονͰ΋OKʣ

Slide 36

Slide 36 text

Speaker hassaku63 (Takuya Hashimoto) repeat-contributor of aws/aws-cdk hassaku_63 hassaku63