IAM Permissions for a CI/CD Pipeline

7
votes

I want to set up my deployment pipelines so that they adhere to the principle of least privilege when they deploy assets to AWS. That means I don't want to give the deployment policy admin access or "*:*" privileges.

The problem is that every time I create a new pipeline I have to go through a trial and error process:

  • Deploy
  • Get a failure due to missing IAM permissions
  • Update IAM Policy to add the missing permission
  • Repeat

I've searched for resources to help with this, but the general approach seems to be to overprovision the IAM policy, which I think is a really bad approach.

Are there any tools which you can use which will analyse a CloudFormation template and generate a JSON document of the required deployment policy? (Or for Serverless Framework or CDK?)

1
amazon-web-servicesamazon-iam

1 Answers

5
votes

Great question, unfortunately, the answer is slightly tricky.

You're running up against a bit of a chicken-and-egg problem with all Infrastructure As Code providers (Serverless, CDK, CloudFormation, Terraform, etc).

Keep in mind that the IAM user which deploys your application is not the same as the IAM role that your application (Lambda) runs under.

This means that if you wanted to strictly limit the permissions of your deploy user so that it could only deploy specific resources, that's fine - however as you noted, you'll need to expand those permissions every time you want to deploy new resources. Notably, if you automate this process such that the role permissions are expanded every time you add new infrastructure - you've effectively granted your deploy user administrative access.

This is why most people use an over-provisioned deploy user in order to deploy their applications. It's not considered a bad approach for two reasons:

  1. Your application does not use this role when executing, so if you had some major vulnerability in your lambda that allowed for remote code execution, the attacker couldn't compromise your entire AWS account
  2. You're relying on your IAC provider to ensure that you do not create unneeded infrastructure. (IE: you and your IAC provider have the same level of access)

As long as the Lambda Execution role has a strict IAM policy, using an overprovisioned deployment user is fine.