Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Have an ability to set iam role tags

See original GitHub issue

Use case description

Sometimes there are use cases when it’s needed for lambda execution role to have special tags (same as function.tags). Those can be used for attribution, access control or something else.

Currently there’re at least two ways to have those:

  • Use top level stackTags which will be “cascaded” to all application resources. Cons: all resources will get the tag, while it’s only intended for the execution role.
  • Use custom role. Cons: boilerplate code, additional complexity for the user.

Proposed solution

Add iamRoleTags directive with standard key-value format like so:

iamRoleTags:
  reader: 'restricted'
  foo: 'bar'

iamRoleStatements: 
  - Effect: Allow
    Action:
      - s3:GetObject
    Resource:
      - arn:aws:s3:::sensitive-data

I’m happy to craft a PR for this change as long as this proposal gets endorsement from the maintainers.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (6 by maintainers)

github_iconTop GitHub Comments

2reactions
medikoocommented, Dec 28, 2020

whenever I see two properties that would apply to the same resource, it suggests that it might be worth considering if it wouldn’t be better to gather them under a common property e.g.

+1. It indeed again puts us on path of introducing new deprecation, but I think it’s good idea to group it. We also have other IAM related properties. I’d group them all under provider.iam as below:

provider:
  iam:
    role: # either a directly assigned ARN or object with below options
      permissionBoundary: ...
      managedPolicies: ...
      statements: ...
      tags: ...
    deploymentRole: ... # Replacement for `cfnRole`

In that case I’d split this work into two independent tasks. First that moves us to new configuration, and second that follows with introduction of provider.iam.role.tags

1reaction
runkcommented, Dec 29, 2020

Any objections if I draft a PR with the first task around grouping the iam-related props?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Controlling access to and for IAM users and roles using tags
Use the information in the following section to control who can access your IAM users and roles and what resources your users and...
Read more >
Tags for Roles and IAM Users - CloudySave
It's possible to do the following with the tags for roles and IAM users: ... Tag keys and values of tags are capable...
Read more >
Tagging IAM roles - Amazon Identity and Access Management
You can manage tags for IAM roles from the Amazon Web Services Management Console. Sign in to the Amazon Web Services Management Console...
Read more >
Creating and managing tags - Google Cloud
To create, update, and delete tag definitions, you need the Tag ... it before they're able to perform the actions in it that...
Read more >
The True Power of AWS Tags: How to Use ABAC at Scale
Translating this into IAM, we'll assign each user/role with a grant path of their own that will define their tagging grant area: if...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Deprecate "provider.region" in favor of "provider.defaultRegion"

Next page

Optimise upload of deployment artifacts