Why so many IAM Statement Changes?

[moltar]

Thanks for this package, it's really helpful and great!

I am experiencing a strange issue, where on every app code change and deployment many IAM Statement Changes are required.

I get this on every cdk deploy if I change any assets that are handled by this package.

My use case is very simple:

    const react = new TypeScriptSource('index.tsx', {
      buildOptions: {
        absWorkingDir: path.join(__dirname, '../src/react')
      }
    });

IAM Statement Changes
┌───┬────────────────────────────────────────────────────────────────┬────────┬────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────┬───────────┐
│   │ Resource                                                       │ Effect │ Action                                                         │ Principal                                                      │ Condition │
├───┼────────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ - │ arn:${AWS::Partition}:s3:::${AssetParameters22436960d4c471d5ac │ Allow  │ s3:GetBucket*                                                  │ AWS:${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB87 │           │
│   │ 0d42b5fbc68639eb16393434e771a1baba7f1acb19d8b5S3BucketB680B1A3 │        │ s3:GetObject*                                                  │ 56C/ServiceRole}                                               │           │
│   │ }                                                              │        │ s3:List*                                                       │                                                                │           │
│   │ arn:${AWS::Partition}:s3:::${AssetParameters22436960d4c471d5ac │        │                                                                │                                                                │           │
│   │ 0d42b5fbc68639eb16393434e771a1baba7f1acb19d8b5S3BucketB680B1A3 │        │                                                                │                                                                │           │
│   │ }/*                                                            │        │                                                                │                                                                │           │
├───┼────────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ - │ arn:${AWS::Partition}:s3:::${AssetParametersfb63292a4cc03f7813 │ Allow  │ s3:GetBucket*                                                  │ AWS:${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB87 │           │
│   │ 6b6b2ddd1295d7a78a11a400c1dc3a78bf2ecedfc872beS3Bucket347DE160 │        │ s3:GetObject*                                                  │ 56C/ServiceRole}                                               │           │
│   │ }                                                              │        │ s3:List*                                                       │                                                                │           │
│   │ arn:${AWS::Partition}:s3:::${AssetParametersfb63292a4cc03f7813 │        │                                                                │                                                                │           │
│   │ 6b6b2ddd1295d7a78a11a400c1dc3a78bf2ecedfc872beS3Bucket347DE160 │        │                                                                │                                                                │           │
│   │ }/*                                                            │        │                                                                │                                                                │           │
├───┼────────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ arn:${AWS::Partition}:s3:::${AssetParameters44fef59e3160f2ac44 │ Allow  │ s3:GetBucket*                                                  │ AWS:${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB87 │           │
│   │ cfe70d2db57f55bfab59f46c73a59178b59318f691c9a2S3BucketE0D75CD4 │        │ s3:GetObject*                                                  │ 56C/ServiceRole}                                               │           │
│   │ }                                                              │        │ s3:List*                                                       │                                                                │           │
│   │ arn:${AWS::Partition}:s3:::${AssetParameters44fef59e3160f2ac44 │        │                                                                │                                                                │           │
│   │ cfe70d2db57f55bfab59f46c73a59178b59318f691c9a2S3BucketE0D75CD4 │        │                                                                │                                                                │           │
│   │ }/*                                                            │        │                                                                │                                                                │           │
├───┼────────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ arn:${AWS::Partition}:s3:::${AssetParameters54d6740879de95308d │ Allow  │ s3:GetBucket*                                                  │ AWS:${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB87 │           │
│   │ de4f03fe57a4445b3de9b7084fcabb4fd2d799b70ab7a0S3Bucket83758749 │        │ s3:GetObject*                                                  │ 56C/ServiceRole}                                               │           │
│   │ }                                                              │        │ s3:List*                                                       │                                                                │           │
│   │ arn:${AWS::Partition}:s3:::${AssetParameters54d6740879de95308d │        │                                                                │                                                                │           │
│   │ de4f03fe57a4445b3de9b7084fcabb4fd2d799b70ab7a0S3Bucket83758749 │        │                                                                │                                                                │           │
│   │ }/*                                                            │        │                                                                │                                                                │           │
└───┴────────────────────────────────────────────────────────────────┴────────┴────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

[mrgrain]

Thanks for the kind words @moltar I'm glad this package is useful to you!

The IAM Statement Changes are expected, unfortunately the details CDK provides aren't super helpful. If you look at the Principal you can see that it references a Custom::CDKBucketDeploymentXYZ/ServiceRole. That's the role the custom Cloudformation resource uses to access the uploaded Assets.

When you run cdk deploy, your TypeScriptSource gets uploaded to the CDK bucket (as created during cdk bootstrap) as a ZIP file. CFN then updates a parameter to reference this newly uploaded asset. @aws-cdk/aws-s3-deployment module is implemented as a custom resource which will download that ZIP file and upload the files to the desired S3 location.

The IAM changes you are seeing, are a reflection of the required changes to access the newly uploaded zip file from within this custom resource (and also revoking access to the previous one - the ones with -).

I'd expect to see a pair of removed/added permissions for every BucketDeployment in your stack. Can you confirm you are using two of them?

Edit: We are using a new Source object for the deployment. The line that grants these permissions can be found in source.ts. The sources provided by the s3 deployment module itself do something very similar.

You can verify this behaviour by temporary replacing the TypeScriptSource with a precompiled version using Source.asset(). I'd expect you will see similar IAM statement updates.

[moltar]

Thank you for the explanation! You are right, it does occur when using Source.asset directly as well.

That's why there are two buckets actually, because I'm using two sources. One for static files (public/*) and one for transpiled files (via this package).

Case closed then 😁

Thanks!