Setting up Lambda to Create AWS CloudFormation without IAM Policy
Question
What are the best practices for CloudFormation stacks that create IAM users? I'm creating an API that will automatically add clients to one of our services, ie, it uses a CloudFormation template to create buckets, dynamo db entries, IAM user, etc.
You send a POST call to a route with specific parameters in the call, and it will create the client and everything that's needed for them; however, due to security concerns, I'm hesitant to allow a lambda role to have IAM permissions. We take IAM user creation extremely seriously, as this could always have a negative connotation.
Is there a way that I could create a CloudFormation stack, but require an Admin's manual approval to create it? I noticed there isn't a way to "delay" a stack for approval from another entity who has the correct permissions, since, for stacks to be created in the first place, proper policies must be in place for the entity creating it.
So, in summary, send a POST request to a URL that creates a stack needing Admin approval with proper permissions to activate the creation.
I'm starting to believe this isn't possible, so what are some recommendations?
We have thought about some other methods:
- API call uploads the generated CloudFormation template to an s3, then admins manually create the stack with object url
- Modify the CloudFormation template to remove the IAM section, and have Admins create that portion manually
Either way, it kinda takes away from the "automation" aspect.
Any thoughts?
2 answers
solution1
1 ACCPTED 2019-01-11 17:47:39
I would suggest to use AWS Step Functions to create a state machine (a codified process) around the approval mechanism. The POST request would then trigger a new Step Function execution with the specific CFN template. I imagine you would need to build a simple frontend to list all the pending Step Function executions (ie pending approvals).
An alternative solution could be built on top of CodePipeline. A pipeline execution can have a manual approval action and it can be configured in a way that it would creating the stack by itself.
solution2
0 2019-01-11 16:30:18
如果您愿意使用其他工具,则可以通过Jenkins作业触发cloudformation堆栈,并且仅允许管理员触发该作业。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.