New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement an AWSLambdaBasicExecutionRole with the least privilege principle #6692
Conversation
…ciple Fixes serverless#6241 and reduces the size of the inline policy
Any news when it will be merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @azizur thanks a lot for working on this 👍
I just did a review and test today and everything works as expected.
I tested a fresh deployment and an "upgrade" deployment (deploying with the current master
, then switching to your PR branch and re-deploying). Both worked without any problems.
I'd say this is GTM
@medikoo could you also take a quick look at this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks as great improvement.
Left one remark, as in previously merged PR, one of the changes proposed here, was rejected then (it'll be good to double ensure it's 100% safe)
Also I think it should not be marked to close #6241 as that one proposes we rely on AWS police directly, and here we're just reflecting permissions it sets up.
{ | ||
"Effect": "Allow", | ||
"Action": ["logs:PutLogEvents"], | ||
"Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesingly in #6241, it was assumed that resource definition for logs:CreateLogGroup
and logs:PutLogEvents
cannot be merged -> #6212 (comment)
(cc @rdsedmundo @pmuens )
I take, that after all they can be merged (so for logs:PutLogEvents
, :*
trailing can be stripped)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I thought that it could be a problem, but if you tested and it worked without the :* we should be good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi everyone, this is my first PR, your feedback and support are really appreciated.
@medikoo I have not tested this specific scenario yet. I will test it and update in this thread.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tested it using this simple repo: https://github.com/azizur/serverless-pull-6692 a completely new project and it worked. I have previously tested with my existing project already, so there was no need to test again.
I have tested with additional modification too:
- remove
*:*
from`:log-group:${logGroupsPrefix}*:*`,
It worked since it generated policy resource refrences like:
"arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{function-a}-{stage}*:*"
Then I tried with additional modifications with mergeIamTemplates.js
-
remove
:*
from`:log-group:${customFunctionNamelogGroupsPrefix}:*`, -
remove
*:*
from`:log-group:${logGroupsPrefix}*:*`,
It did NOT worked since it generated policy resource refrence like:~
"arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{function-a}-{stage}"
I think we can go with the additional modifications in
`:log-group:${logGroupsPrefix}*:*`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for change to my previous message. I did not fully understand all the test scenarios. I have now checked the following policies and I can confirm that:
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/{function-a}*:*"
}
]
}
]
}
Works:
- ✅ creates log groups
- ✅ creates log streams
- ✅ Log stream as logs entries. <<< This was missed from my above testing.
When I modified https://github.com/serverless/serverless/blob/15dce40ce0284cf04e4c92754e85118a81cfec47/lib/plugins/aws/package/lib/mergeIamTemplates.js Line 104 and Line 113 in 15dce40.
Works:
- ✅ creates log groups
- ✅ creates log streams
Did not work:
- ❌ Log stream as logs entries. <<< This was missed from my above testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great thanks @azizur for thorough check, we really appreciate it.
Let us know on final outcome.
This one actually fixes #6698 |
DO NOT MERGE YET |
How we looking on this? |
Apologies for the lack of update on this. I have got really busy week at work this week. Will try to take a look this weekend. |
@azizur not at all, thanks for taking the time! |
@azizur thanks again for taking the time to work on this! 👌 🥇 I don't want to hurry you and just want to check-in if you have any news on this PR. Let us know if you need help with anything else or if we should take it from here. |
Just wanted to do another follow-up here. Were you able to make any progress on this PR @azizur? Do you need any help here? Looks like the PR has some conflicts we need to resolve e.g. via a rebase. |
This looks like a very useful feature. Any reason it hasn't been merged yet? |
Taken in safer implementation at #7120 |
What did you implement:
Closes #6241 Implement an
AWSLambdaBasicExecutionRole
with the least privilege principleHow did you implement it:
How can we verify it:
Previously the inline policy would have looked something like this:
Now
Todos:
Note: Run
npm run test-ci
to run all validation checks on proposed changesValidate via
npm test
Validate via
npm run lint-updated
Note: Some reported issues can be automatically fixed by running
npm run lint:fix
Validate via
npm run prettier-check-updated
Note: All reported issues can be automatically fixed by running
npm run prettify-updated
Is this ready for review?: YES
Is it a breaking change?: NO