Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Cloud trust policy for Lambda deployments #417

Merged
merged 3 commits into from
Jun 14, 2024
Merged

Update Cloud trust policy for Lambda deployments #417

merged 3 commits into from
Jun 14, 2024

Conversation

pcholakov
Copy link
Contributor

Confirmed to work with an updated version of restate-holiday which is still slightly WIP.

pcholakov
pcholakov commented Jun 13, 2024
View reviewed changes
docs/deploy/cloud.md Outdated
Comment on lines 94 to 98
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::654654156625:role/RestateCloud"
}
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically we can remove this and shorten the policy to just:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::654654156625:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::654654156625:role/RestateCloud",
                    "sts:ExternalId": "${ENVIRONMENT_ID}"
                }
            }
        },
        {
            "Sid": "AllowTagSession",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::654654156625:root"
            },
            "Action": "sts:TagSession"
        }
    ]
}

It's no less secure since the role principal is the only one that can AssumeRole - it's shorter but less pedantic :-)

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jun 13, 2024
edited
Loading

Deploying documentation with  Cloudflare Pages  Cloudflare Pages

Latest commit: 9c50dac
Status: ✅  Deploy successful!
Preview URL: https://dcae6864.documentation-beg.pages.dev
Branch Preview URL: https://update-cloud-trust-policy.documentation-beg.pages.dev

View logs

@pcholakov pcholakov merged commit a407ca3 into main Jun 14, 2024
2 checks passed
@pcholakov pcholakov deleted the update-cloud-trust-policy branch June 14, 2024 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackkleeman jackkleeman jackkleeman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pcholakov @jackkleeman