chalice icon indicating copy to clipboard operation
chalice copied to clipboard
verified publisher icon aws

Adding pre-defined permissions to auto-generated policy file

Open GergelyMolnar opened this issue 6 years ago • 4 comments

Hi,

I'm implementing a REST-API with Chalice which uses S3, Athena and Glue.

Normally, Chalice autogenerated policies work just fine for dev. Although it's not the case when Glue coming into the picture - and maybe others too, I assume.

When trying to deploy the API with autogen policy, Chalice warns me that Glue is unsupported.

$ chalice deploy
Unsupported service for auto policy generation: glue
Creating deployment package.
Creating IAM role: ...

This isn't a big issue, I created the .chalice/policy-dev.json manually using the output of chalice autogen-policy extended with the glue permissions. This works great with chalice deploy --no-autogen-policy.

But my code is not final, and every time I add something that requires different permission I have to edit the .chalice/policy-dev.json manually, because chalice deploy ignores the .chalice/policy-dev.json file.

I've been reading the Chalice docs to figure a way to make this less of a hassle, but it seems like the current implementation supports autogen policy or manual policy but not the mixture of the two. Btw I do not have access to the AWS consoles to do magic there so I need to work with Chalice offers me.

Would be nice if it was possible to specify a policy file that is used by the policy generator as a base to improve on.

What I mean is having a file eg. .chalice/policy-base.json with the pre-defined permissions that - now - has to be added manually, like:

{
  "Version": "2012-10-17",
  "Statement": [
   {  
      "Effect": "Allow",
      "Action": [
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetDatabase"
      ],
      "Resource": [
        "arn:aws:glue:*:0123456789012:*"
      ],
      "Sid": "12345000000000000000000000000001"
    }, ...
   ]
}

...and would be extended by the policy generator when using chalice deploy.

(issues #64, #484, #620 and #985 do not seem to be relevant)

Thanks

GergelyMolnar avatar Aug 06 '19 10:08 GergelyMolnar

Interesting idea, I like it. We'd need to work out exactly how you'd specify/configure this, but I like the idea of being able to merge on top of what the policy generator does. Marking as a feature request, thanks for the suggestion.

jamesls avatar Aug 07 '19 22:08 jamesls

Seems deeply related to this bug -> https://github.com/aws/chalice/issues/692 ?

KeynesYouDigIt avatar Jan 21 '21 16:01 KeynesYouDigIt

Another scenario where being able to add extra pre-defined permissions is valuable is when using high-level libraries like bolt, where the calls to boto3 are buried too deep for the analyser to find. To use bolt's "lazy functions" it needs lambda:InvokeFunction but chalice never finds this.

If the ability to provide pre-defined permissions were to be added, it would be helpful from an isolation point of view if it supported a place-holder token for the Resource that referred to the Lambda instance itself, so that you don't have to put "*" in.

nickovs avatar Jan 18 '23 20:01 nickovs

@jamesls I'm wondering if there is any progress on this? Implementing this would provide both general purpose utility and (as mentioned above) some security benefits over the way that people are likely to get around the difficulties caused by its absence.

I note that it's almost four and a half years since you agreed it would be useful; an update would be appreciated!

nickovs avatar Feb 04 '24 16:02 nickovs