2

We want our developers to be able to create Code Pipelines that can deploy their services. This means they would need to be able to create IAM Roles for the Code Pipeline Steps.

This means we'd need to give our developers IAM capabilities. Is there a way to restrict this in a way that the IAM Roles they can create are limited to creating certain services? Let's say ECS, EC2, RDS related actions. Or maybe specifically blacklist certain services like IAM related actions.

Jim Mulvey
  • 497
  • 2
  • 5
froi
  • 7,268
  • 5
  • 40
  • 78
  • 1
    Check out [this](https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/) example. – jellycsc Oct 22 '20 at 23:36

1 Answers1

4

Yes. We do this by giving our developers a role (assumable by CodeBuild), which has the ability to create additional roles, subject to Permissions Boundaries. We encourage them to break up their CodePipeline into stages, and have separate roles for each stage. They use this CodeBuild role to spin up their pipelines. The roles are restricted in terms of what services they can be passed to, and what actions they can perform.

Quasi-Cloudformation on how to do this is below:

  DeveloperPipelineCreateRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Developer-pipeline-create-role"
      ManagedPolicyArns:
        - !Ref DeveloperPipelineCreatePolicy
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Action:
              - sts:AssumeRole

  DeveloperPipelineCreatePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: "Developer-pipeline-create-policy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: AllowCreateRoles
          Effect: Allow
          Action:
            - iam:CreateRole
            - iam:DetachRolePolicy
            - iam:AttachRolePolicy
            - iam:PutRolePermissionsBoundary
          Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
          Condition:
            StringEquals:
              iam:PermissionsBoundary:
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
                - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'

  CodePipelineBoundary:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub "pipeline-iam-boundary"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
            - iam:PassRole
            Resource: "*"
            Effect: Allow
            Condition:
              StringEqualsIfExists:
                iam:PassedToService:
                - cloudformation.amazonaws.com
                - elasticbeanstalk.amazonaws.com
                - ec2.amazonaws.com
                - ecs-tasks.amazonaws.com
          - Sid: AddStuffYourPipelineRoleMightDo
            Effect: Allow
            Action: (something)
            Resource: (something)

    SourceBoundary: (similar to above)
    BuildBoundary: (similar to above)
    ...
Jim Mulvey
  • 497
  • 2
  • 5