The latest articles on DEV Community by Ramon (@ramlop). https://dev.to/ramlop https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F645267%2F42f1a0a2-ea00-4073-878f-d0db93b97595.jpeg https://dev.to/ramlop en Ramon Tue, 15 Jun 2021 15:46:20 +0000 https://dev.to/aws-ch/grant-limited-iam-permissions-with-aws-cdk-but-fast-3f4g https://dev.to/aws-ch/grant-limited-iam-permissions-with-aws-cdk-but-fast-3f4g <p>I love writing CDK apps but there is something I really loathe: Writing IAM policies and assigning them to resources like Lambdas. It feels like a step back because I don't have the same type-safety and syntax highlighting that I'm used to from native CDK constructs.</p> <p>When I start writing an app, I want to make fast progress, so I fall back to using AWS Managed IAM policies, which are usually too broad and open. Then I add TODO's and promise myself to take care of it later... </p> <p>Like in this example where the Lambda should only be able to <strong>read</strong> from a single bucket, but is granted with <strong>full</strong> S3 permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">Bucket</span><span class="p">(...)</span> <span class="kd">const</span> <span class="nx">executionRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">execution-role</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ServicePrincipal</span><span class="p">(</span><span class="dl">"</span><span class="s2">lambda.amazonaws.com</span><span class="dl">"</span><span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nx">fromAwsManagedPolicyName</span><span class="p">(</span> <span class="dl">"</span><span class="s2">service-role/AWSLambdaBasicExecutionRole</span><span class="dl">"</span> <span class="p">),</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nx">fromAwsManagedPolicyName</span><span class="p">(</span> <span class="dl">"</span><span class="s2">service-role/AWSLambdaVPCAccessExecutionRole</span><span class="dl">"</span> <span class="p">),</span> <span class="c1">//TODO lock down permissions!</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nx">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">"</span><span class="s2">AmazonS3FullAccess</span><span class="dl">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">fn</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MyLambda</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">PYTHON_3_8</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="p">...,</span> <span class="na">handler</span><span class="p">:</span> <span class="p">...,</span> <span class="na">timeout</span><span class="p">:</span> <span class="p">...,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">executionRole</span> <span class="p">})</span> </code></pre> </div> <p>Wouldn't it be nice if there was an idiomatic way of granting permissions in CDK? Turns out, there is!</p> <p>Many CDK constructs representing resources that can be accessed (like S3, DynamoDB, SQS, SNS...) provide various <code>.grant...()</code> methods (see <a href="https://docs.aws.amazon.com/cdk/latest/guide/permissions.html#permissions_grants">CDK Grants</a>). With this method you don't have to memorize or look up the names of any of the AWS Managed IAM policies and it's incredibly succinct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">s3</span><span class="p">.</span><span class="nx">Bucket</span><span class="p">(...)</span> <span class="kd">const</span> <span class="nx">fn</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">MyLambda</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">PYTHON_3_8</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="p">...,</span> <span class="na">handler</span><span class="p">:</span> <span class="p">...,</span> <span class="na">timeout</span><span class="p">:</span> <span class="p">...</span> <span class="p">})</span> <span class="nx">bucket</span><span class="p">.</span><span class="nx">grantRead</span><span class="p">(</span><span class="nx">fn</span><span class="p">)</span> </code></pre> </div> <p>Note how I was able to remove the <code>executionRole</code> completely because CDK will chose a sensible default <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-lambda-readme.html#execution-role">Execution Role</a> that will include permissions to invoke the Lambda.<br> In the last line I just use the <code>bucket</code> object and call <code>grantRead</code> to give the Lambda permissions to read from this bucket <em>only</em>.</p> <p>Not only is this easier and faster to write, it also makes our infrastructure more secure! Besides, you can always fall back to explicitly using IAM Roles and Policies if you encounter CDK constructs where <code>grant</code> isn't available.</p> <h3> Learn more </h3> <p>Other CDK modules follow similar mechanisms, for example <code>@aws-cdk/aws-ec2</code> when it comes to <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html#allowing-connections">allowing connections</a>. No more manual writing of Security Group rules!</p> <p>CDK is evolving fast and getting better by the day. If you want to dive deeper, check out the <a href="https://cdkworkshop.com/">CDK Workshop</a> for some hands-on learning and the <a href="https://awscdk.io/">CDK Construct Catalog</a> to find hundreds of reusable CDK constructs from AWS and other developers.</p> <p>Have fun building!<br> -Ramon</p> cdk cloudskills aws devops