Granular IAM permissions #26
Conversation
| RoleName: !Join ['_', ['NewRelicIntegrationRole', !Ref NewRelicAccountNumber]] | ||
| AssumeRolePolicyDocument: | ||
| Version: 2012-10-17 | ||
| Statement: | ||
| - Effect: Allow | ||
| Principal: | ||
| AWS: 'arn:aws:iam::754728514883:root' | ||
| AWS: !Sub 'arn:aws:iam::${NewRelicTrustedPrincipal}:root' |
There was a problem hiding this comment.
Does this needs to be 'root'? or can it be a different user?
There was a problem hiding this comment.
since NewRelic AWS account may use different role to perform STS, we need to assign it to root to allow IAM users/roles with proper external ID to assume it.
| @@ -60,13 +64,14 @@ Resources: | |||
| Statement: | |||
| - Effect: Allow | |||
| Principal: | |||
| AWS: 'arn:aws:iam::754728514883:root' | |||
| AWS: !Sub 'arn:aws:iam::${NewRelicTrustedPrincipal}:root' | |||
There was a problem hiding this comment.
since NewRelic AWS account may use different role to perform STS, we need to assign it to root to allow IAM users/roles with proper external ID to assume it.
| @@ -16,6 +16,10 @@ Parameters: | |||
| is created using the name you specify. This custom policy includes only minimal permissions | |||
| that allow New Relic to monitor your Lambda functions. Note that you are responsible for | |||
| managing a custom policy.' | |||
| NewRelicTrustedPrincipal: | |||
There was a problem hiding this comment.
Is this the value we are passing from the main launch template?
There was a problem hiding this comment.
this value is not passed from main launch template at the moment, default value is used during launch
There was a problem hiding this comment.
If we are not passing it from the main template than I don't see the value of add it as parameter. Idea behind parameterizing it was to allow users to explicitly provide a 3rd party account id which they are giving permission to take actions in their AWS Account.
There was a problem hiding this comment.
Agreed and I've document it here #27
this will require another PR to modify the documentation, and perhaps we will also cover different partition, i.e. govcloud if needed.
I added this param on newrelic-stack-set.yml as stop gap from hard-coded principal in the template.
There was a problem hiding this comment.
When do you think we will have the PR to address it?
Issue #, if available:
Typo in CloudWatch rules for lifecycle event
Existing IAM managed policy does not utilize granular resource permissions.
Description of changes:
Fix typo in CloudWatch rules filter for CT LifeCycle event
Add granular resource and permission based on: https://docs.newrelic.com/docs/integrations/amazon-integrations/get-started/integrations-managed-policies/#all-permissions
Add cfn-lint metadata for exception on permissions that does not support specifying resource ARN
remove Python ver dependency from the Makefile
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.