From 1d77f8057de83de519b330aeb65f1d6bed59e57d Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Fri, 11 Oct 2024 14:45:35 -0700 Subject: [PATCH 1/5] Use cdk role --- org-formation/650-identity-providers/_tasks.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml index 148e5b5c..d609890d 100644 --- a/org-formation/650-identity-providers/_tasks.yaml +++ b/org-formation/650-identity-providers/_tasks.yaml @@ -809,11 +809,7 @@ GithubOidcNbConvertDeploy: ProviderRoleName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy MaxSessionDuration: 7200 ManagedPolicyArns: - - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess" - - "arn:aws:iam::aws:policy/AWSLambda_FullAccess" - - "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" - - "arn:aws:iam::aws:policy/IAMFullAccess" - - "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess" + - "arn:aws:iam::449435941126:policy/cdk-assume-role-policy" TemplatingContext: GitHubOrg: "Sage-Bionetworks" Repositories: From cd44614a6735cde988c3f7eb82dc080cc0849dcc Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Thu, 7 Nov 2024 11:29:22 -0800 Subject: [PATCH 2/5] Park --- org-formation/650-identity-providers/_tasks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml index 397e6cd2..15ad332c 100644 --- a/org-formation/650-identity-providers/_tasks.yaml +++ b/org-formation/650-identity-providers/_tasks.yaml @@ -837,7 +837,7 @@ GithubOidcNbConvertDeploy: ProviderRoleName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy MaxSessionDuration: 7200 ManagedPolicyArns: - - "arn:aws:iam::449435941126:policy/cdk-assume-role-policy" + - "arn:aws:iam::${AWS::AccountId}:policy/cdk-assume-role-policy" TemplatingContext: GitHubOrg: "Sage-Bionetworks" Repositories: From f16de2ca1bc4c915945881a5773d9ae9f31f1648 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Mon, 11 Nov 2024 13:00:05 -0800 Subject: [PATCH 3/5] Use inline policy to allow assuming cdk* roles --- org-formation/650-identity-providers/_tasks.yaml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml index 19d170b0..9eab203e 100644 --- a/org-formation/650-identity-providers/_tasks.yaml +++ b/org-formation/650-identity-providers/_tasks.yaml @@ -836,8 +836,18 @@ GithubOidcNbConvertDeploy: ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ] ProviderRoleName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy MaxSessionDuration: 7200 - ManagedPolicyArns: - - "arn:aws:iam::${AWS::AccountId}:policy/cdk-assume-role-policy" + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AssumeRoleStatement", + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Resource": "arn:aws:iam::${AWS::AccountId}:role/cdk-*-role-*-us-east-1" + } + ] + } TemplatingContext: GitHubOrg: "Sage-Bionetworks" Repositories: From befc4c387c83a032fb195e78a6204adef7c5f200 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Mon, 25 Nov 2024 12:26:24 -0800 Subject: [PATCH 4/5] use admin access --- org-formation/650-identity-providers/_tasks.yaml | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml index b435e9be..78db1c0a 100644 --- a/org-formation/650-identity-providers/_tasks.yaml +++ b/org-formation/650-identity-providers/_tasks.yaml @@ -881,18 +881,9 @@ GithubOidcNbConvertDeploy: ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ] ProviderRoleName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy MaxSessionDuration: 7200 - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AssumeRoleStatement", - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::${AWS::AccountId}:role/cdk-*-role-*-us-east-1" - } - ] - } + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser" TemplatingContext: GitHubOrg: "Sage-Bionetworks" Repositories: From 8e17691beb9a4d330a0aec58d77e6390da4b99fc Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Wed, 4 Dec 2024 12:09:18 -0800 Subject: [PATCH 5/5] combine synapse-related oidc --- .../650-identity-providers/_tasks.yaml | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/org-formation/650-identity-providers/_tasks.yaml b/org-formation/650-identity-providers/_tasks.yaml index 78db1c0a..77461b73 100644 --- a/org-formation/650-identity-providers/_tasks.yaml +++ b/org-formation/650-identity-providers/_tasks.yaml @@ -166,6 +166,30 @@ GithubOidcSageBionetworksSynapseDockerRegistry: - !Ref SynapseProdAccount Region: us-east-1 +GithubOidcSageBionetworksSynapse: + Type: update-stacks + DependsOn: GithubOidcSageBionetworks + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.7.6/templates/IAM/github-oidc-provider.j2 + StackName: !Sub ${resourcePrefix}-${appName}-sage-bionetworks-synapse + Parameters: + ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ] + ProviderRoleName: !Sub ${resourcePrefix}-${appName}-sage-bionetworks-synapse + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser" + TemplatingContext: + GitHubOrg: "Sage-Bionetworks" + Repositories: + - name: "synapse-docker-registry" + branches: ["*"] + - name: "nbconvert-webapp" + branches: ["master", "develop"] + DefaultOrganizationBinding: + Account: + - !Ref SynapseDevAccount + - !Ref SynapseProdAccount + Region: us-east-1 + GithubOidcSageBionetworksGenieBPCInfra: Type: update-stacks DependsOn: GithubOidcSageBionetworks @@ -872,29 +896,6 @@ GithubOidcOpenChallengesDeploy: - !Ref OpenChallengesProdAccount Region: us-east-1 -GithubOidcNbConvertDeploy: - Type: update-stacks - DependsOn: GithubOidcSageBionetworks - Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.7.6/templates/IAM/github-oidc-provider.j2 - StackName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy - Parameters: - ProviderArn: !CopyValue [ !Sub '${resourcePrefix}-${appName}-ProviderArn' ] - ProviderRoleName: !Sub ${resourcePrefix}-${appName}-nbconvert-deploy - MaxSessionDuration: 7200 - ManagedPolicyArns: - - "arn:aws:iam::aws:policy/AdministratorAccess" - - "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser" - TemplatingContext: - GitHubOrg: "Sage-Bionetworks" - Repositories: - - name: "nbconvert-webapp" - branches: ["master", "develop"] - DefaultOrganizationBinding: - Account: - - !Ref SynapseDevAccount - - !Ref SynapseProdAccount - Region: us-east-1 - ############################### Managed Policies ############################### # Managed policies used in github OIDC providers # Note: Managed policies can be used as work around for the AWS cloudformation