Amplify-cli: Allow IAM Permission Boundary to be added to IAM Roles created by Amplify CLI

Created on 19 Jun 2020  路  5Comments  路  Source: aws-amplify/amplify-cli

Is your feature request related to a problem? Please describe.

I'm always frustrated when I can't use Amplify as whenever the IAM Roles try to get created in our AWS environment, due to the fact there is no IAM Permission Boundary applied to the roles, the IAM Roles fail to create 馃槩 . This means we can't use Amplify CLI to pre-create the AWS Resources.

Describe the solution you'd like

Whenever I use the AWS Amplify CLI to initialise a project, I would like to be able to pass in custom IAM Elements to be applied to the roles that get created. I could see this being done in a few ways.

  • There could be a flag which you append onto the Amplify CLI (maybe something like --iam-attributes) and this flag accepts a yml file (something like iam-roles-custom-attributes.yml) where I am able to pass in my custom IAM key/value stores (cloud formation). I think it should still use the default IAM Role(s) which get created by the Amplify CLI, I just need to be able to pass in custom values, that either override or append onto the custom roles that get created. If that makes sense?

Describe alternatives you've considered

  • There is possibly a more generic custom cloud formation attributes file --custom-attributes which takes a valid cloud formation yml file which uses the values in that file to append onto the resources being created by Amplify.

I have been thinking of a good way of doing this, and I really can't think of a great option 馃槩 I am very open to suggestions on how this can be found, I think passing in a cloud formation file with attributes (which in my case is the IAM Boundary) which appends onto the roles that are native created by Amplify.

Additional context

I don't think there is too much more context to share, in our environment, any IAM Roles that get created need to have a permission boundary applied, otherwise there is a policy that doesn't allow the roles to be created. We really would like to use the Amplify CLI, but due to our permission boundary, it isn't allowed 馃槩.

If this issue isn't clear (sorry) I am happy to explain a little more 馃憤

enhancement platform
Source
picture NickLiffen
👍2

Most helpful comment

This was asked for a while ago but there has been little movement on that issue #1311

I would be happy with an interim solution where I manually create the required roles and then during init I am prompted "Do you want to use existing roles or create new?"

So for the amplify init flow I would create the UnAuth and Auth roles upfront and then specify those.

This would make the init flow more complicated but I'd hide these prompts behind a flag so if a user needs these they could do something like amplify init --advanced

picture dexster on 9 Jul 2020
4

All 5 comments

Transferring from JS, as this appears to be CLI-related.

amhinson picture amhinson on 19 Jun 2020

@NickLiffen this is a hard area, to be generalized as you also found it out, since the CLI do require a set of permissions to be able to work correctly without problems. I think that beside that you'd like to have some solution for advanced use cases where the environment or the requirements are different than usual.

Do you think that it is only needs to be done for the init flow, because we also create and assign IAM permissions when creating/updating resources during deployment?

attilah picture attilah on 20 Jun 2020

Hey 馃憢 I completely agree this is a hard area 馃槩 the value of the Amplify CLI is it wraps an opinionated layer around AWS Services to meet a common use case; and what I am asking for, although I believe can be seen as a pattern, I understand is slightly "off pattern" from the standard use case.

If we thought IAM Boundaries was a common pattern it would be great if you could even pass in a flag directly to the CLI Command --iam-permissionsBoundary and we would pass in the Arn value. But I have a feeling this is too specific and would only meet a one off use case.

Maybe it's something we could add to the config.json file? 馃 馃挱 This could be better then passing in something to the CLI directly?

Do you think that it is only needs to be done for the init flow, because we also create and assign IAM permissions when creating/updating resources during deployment?

This is a great point! Yes, it would need to really be applied to any stack CRUD action, like creation, updating, etc. Anything in Amplify that touches the IAM Roles, would need this applied.

I am more than happy to contribute and help with this work, but I just wanted to align if this was coming you would be willing to accept into the Amplify framework. It would be amazing to help us use Amplify in our enterprise environment. 馃憤

Thanks for your response to this 馃挴

NickLiffen picture NickLiffen on 20 Jun 2020
👍2

@brene or @attilah any thoughts? 馃 馃挱 sorry to push, just curious to see your thoughts.

NickLiffen picture NickLiffen on 30 Jun 2020

This was asked for a while ago but there has been little movement on that issue #1311

I would be happy with an interim solution where I manually create the required roles and then during init I am prompted "Do you want to use existing roles or create new?"

So for the amplify init flow I would create the UnAuth and Auth roles upfront and then specify those.

This would make the init flow more complicated but I'd hide these prompts behind a flag so if a user needs these they could do something like amplify init --advanced

dexster picture dexster on 9 Jul 2020
4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jkeys-ecg-nmsu picture jkeys-ecg-nmsu  路  3Comments
nicksmithr picture nicksmithr  路  3Comments
mwarger picture mwarger  路  3Comments
jexh picture jexh  路  3Comments
MageMasher picture MageMasher  路  3Comments