简体繁体 English

设置Lambda以创建不带IAM策略的AWS CloudFormation

[英]Setting up Lambda to Create AWS CloudFormation without IAM Policy

原文 2019-01-11 15:54:56 0 2 amazon-web-services/ aws-lambda/ amazon-cloudformation

What are the best practices for CloudFormation stacks that create IAM users? 创建IAM用户的CloudFormation堆栈的最佳实践是什么？ I'm creating an API that will automatically add clients to one of our services, ie, it uses a CloudFormation template to create buckets, dynamo db entries, IAM user, etc. 我正在创建一个API，该API将自动将客户端添加到我们的服务之一，即，它使用CloudFormation模板来创建存储桶，dynamo数据库条目，IAM用户等。

You send a POST call to a route with specific parameters in the call, and it will create the client and everything that's needed for them; 您将POST呼叫发送到具有呼叫中特定参数的路由，它将创建客户端以及客户端所需的一切； however, due to security concerns, I'm hesitant to allow a lambda role to have IAM permissions. 但是，出于安全考虑，我很犹豫是否允许lambda角色具有IAM权限。 We take IAM user creation extremely seriously, as this could always have a negative connotation. 我们非常重视IAM用户的创建，因为这始终可能具有负面含义。

Is there a way that I could create a CloudFormation stack, but require an Admin's manual approval to create it? 有没有一种方法可以创建CloudFormation堆栈，但是需要管理员的手动批准才能创建它？ I noticed there isn't a way to "delay" a stack for approval from another entity who has the correct permissions, since, for stacks to be created in the first place, proper policies must be in place for the entity creating it. 我注意到，没有一种方法可以“延迟”堆栈以从具有正确权限的另一个实体批准，因为对于要首先创建的堆栈，必须为创建它的实体制定适当的策略。

So, in summary, send a POST request to a URL that creates a stack needing Admin approval with proper permissions to activate the creation. 因此，总而言之，将POST请求发送到一个URL，该URL创建一个需要管理员批准并具有适当权限才能激活创建的堆栈。

I'm starting to believe this isn't possible, so what are some recommendations? 我开始相信这是不可能的，那么有什么建议呢？

We have thought about some other methods: 我们还考虑了其他一些方法：

API call uploads the generated CloudFormation template to an s3, then admins manually create the stack with object url API调用将生成的CloudFormation模板上载到s3，然后管理员手动使用对象url创建堆栈
Modify the CloudFormation template to remove the IAM section, and have Admins create that portion manually 修改CloudFormation模板以删除IAM部分，并让管理员手动创建该部分

Either way, it kinda takes away from the "automation" aspect. 无论哪种方式，它都有点脱离了“自动化”方面。

Any thoughts? 有什么想法吗？

2 个解决方案

I would suggest to use AWS Step Functions to create a state machine (a codified process) around the approval mechanism. 我建议使用AWS Step Functions围绕批准机制创建状态机（编码过程）。 The POST request would then trigger a new Step Function execution with the specific CFN template. 然后，POST请求将使用特定的CFN模板触发新的Step Function执行。 I imagine you would need to build a simple frontend to list all the pending Step Function executions (ie pending approvals). 我想您将需要构建一个简单的前端以列出所有未完成的Step Function执行（即未完成的批准）。

An alternative solution could be built on top of CodePipeline. 可以在CodePipeline的顶部构建替代解决方案。 A pipeline execution can have a manual approval action and it can be configured in a way that it would creating the stack by itself. 管道执行可以执行手动批准操作，并且可以通过配置方式自行创建堆栈。