-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(stepfunctions-tasks): run task permission is too broad (under feature flag) #30389
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
Exemption Request: I updated integration snapshots, but a change in the integration test file isn't needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that we were granting too much permission in the current solution based on the documentation you provided. However, I'm a bit worried that this would introduce breaking changes for existing users (who incorrectly rely on the broad permissions) and accepting this would break their application.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@GavinZZ #30389 (review)
Feature flag?
Yes, thanks for leaving a comment. I think feature flag is needed in this case to guarantee no breaking change. IMO I think it's likely that only few users would experience any breaking changes from this change, but I don't have the data on me and it's our promise that stable module don't bring breaking changes. |
I don't even think this was working previously. See my PR description here: #27891. |
@msambol Sorry for the delayed response. A bit confused here. It seems there was an issue with too little permission and you've fixed it half a year ago. So I'm assuming this is working now except we've giving too much permission in the resource field, meaning that this is currently working right and it may be a breaking change? |
This https://github.com/aws/aws-cdk/pull/27891/files#diff-9d5f521b191b7a78f695205cd6cdbf39fce4ffcae0de03b4c4a92d3c59c06f3cL343 permission was initially there, but it didn't actually work or allow the integration tests to run properly. Adding https://github.com/aws/aws-cdk/pull/27891/files#diff-9d5f521b191b7a78f695205cd6cdbf39fce4ffcae0de03b4c4a92d3c59c06f3cR346 permission fixed it. I should have removed the initial condition when I added the other one. But if you feel we should do a feature flag just in case, we can add that. |
I would like to ask to add a feature flag just in case. Reason being is that my understanding is that currently we allow |
@GavinZZ Do you have an example on where we use a FF like this? |
This one seems to be similar https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/pipelines/lib/codepipeline/codepipeline.ts#L987 |
packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts
Show resolved
Hide resolved
@GavinZZ Let me know what you think of this. Default is the extra permission gets added. |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Closes #30368.
Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies