Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Support for custom Path for IAM role and custom Path for IAM Policy #757

Open
nileshlathiya opened this issue Dec 9, 2024 · 2 comments
Open

[FEATURE] Support for custom Path for IAM role and custom Path for IAM Policy #757

nileshlathiya opened this issue Dec 9, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@nileshlathiya
Copy link

Is your feature request related to a problem? Please describe.
I am working with an Enterprise customer on ML use cases and exploring the way to orchestrate deploy using seed-farmer mlops-sagemaker module and aws-codeseeder. As a security best practice, specifying custom paths for IAM roles and policies during creation is essential. This approach, widely adopted by enterprise customers, enhances security and access control. Providing features to customize IAM role paths and policy paths is highly valuable for aligning with these best practices.

Describe the solution you'd like
I am looking for input parameters for IAM role custom path along with IAM policy custom path when using seed-farmer or any better solution which allow passing these input parameters so they can be used while IAM role and policy are created as part of aws-codeseeder.

Describe alternatives you've considered
I have manually upcating the files and running seedfarmer bootstrap and deploy command

Update below files before seedfarmer bootstrap

  • In seedfarmer library, update toolchain_role.template and deployment_role.template
    -> add Path: /project/service-role/ for role creation for ToolchainRole and DeploymentRole

  • In seedfarmer library, update utils.py update get_deployment_role_arn and get_toolchain_role_arn in role arns
    -> add /project/service-role/ as path

then run below command

seedfarmer bootstrap toolchain --project aiops --trusted-principal ${ADMIN_ROLE_ARN} 
--permissions-boundary permissions-boundary_arn --as-target

Update below files before seedfarmer apply

  • In seedfarmer library, update projectpolicy
    -> update ProjectPolicy and add Path: /project/
    -> update policydocument for resouce as role/* from role/cdk* and role/${ProjectName}*"

  • In seedfarmer library, update _iam.py
    -> add new args as path: '/project/service-role/'

  • In seedfarmer library, update _module_commands.py
    ->update codebuild_role_name to codebuild_role_name="arn:aws:iam::<AWS_ACCOUNT>:role/project/service-role/"+mdo.module_role_name

then run below command
seedfarmer apply manifests/mlops-sagemaker/deployment.yaml --env-file .env --debug

Additional context
This IAM Role and Policy path are used in most of the scenario where security best practice are followed. So this will be very good addition for user of seedfarmer library
@nileshlathiya nileshlathiya added the enhancement New feature or request label Dec 9, 2024
@dgraeber
Copy link
Contributor

dgraeber commented Dec 9, 2024
edited
Loading

Hi @nileshlathiya

Thanks for your request.

We will investigate

@dgraeber
Copy link
Contributor

Circling back on this as I know there are internal conversations with @kukushking , but I have not received any detailed info..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dgraeber @nileshlathiya