consoleme icon indicating copy to clipboard operation
consoleme copied to clipboard
verified publisher icon Netflix

Improve CDK spoke account handling

Open connelldave opened this issue 4 years ago • 4 comments

Fix #9248 - handle more than one "spoke" account in CDK. Added to documentation.

Reduced deployed IAM role permissions for safety: removed iam:* and other write-enabling permissions.

connelldave avatar Oct 22 '21 18:10 connelldave

IAM/S3/SQS/SNS mutation permissions are needed for ConsoleMe self-service and cross-account permission mutation to work, so that change may cause confusion. Perhaps we could add a read-only configuration for folks that aren't ready to deploy fully?

castrapel avatar Oct 28 '21 15:10 castrapel

Agreed with @castrapel. I see three options here, in ascending order of work/involvement:

  1. Remove the policy changes from this PR (the quickest way to get this change merged)
  2. A read-only deployment option that uses the version of the policy in this PR
  3. Update ConsoleMe to support distinct roles for logins vs mutation, such as ConsoleMeTrustRole and ConsoleMeManagementRole, with an option to not deploy the latter for read-only deployments

patricksanders avatar Oct 28 '21 16:10 patricksanders

Hello both - thanks for the feedback. I fixed the CDK deployment while first exploring the project to get going - the second commit is naive on my part.

I've removed the IAM commit so the basic fix can be merged and potentially come back to options 2 and 3 when I understand the codebase better :)

connelldave avatar Oct 29 '21 10:10 connelldave

@avishayil how does this look to you?

castrapel avatar Oct 29 '21 15:10 castrapel