in packages/@aws-cdk/toolkit-lib/lib/api/bootstrap/bootstrap-environment.ts [264:343]
private async getExamplePermissionsBoundary(
qualifier: string,
partition: string,
account: string,
sdk: SDK,
): Promise<string> {
const iam = sdk.iam();
let policyName = `cdk-${qualifier}-permissions-boundary`;
const arn = `arn:${partition}:iam::${account}:policy/${policyName}`;
try {
let getPolicyResp = await iam.getPolicy({ PolicyArn: arn });
if (getPolicyResp.Policy) {
return arn;
}
} catch (e: any) {
// https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html#API_GetPolicy_Errors
if (e.name === 'NoSuchEntity') {
// noop, proceed with creating the policy
} else {
throw e;
}
}
const policyDoc = {
Version: '2012-10-17',
Statement: [
{
Action: ['*'],
Resource: '*',
Effect: 'Allow',
Sid: 'ExplicitAllowAll',
},
{
Condition: {
StringEquals: {
'iam:PermissionsBoundary': `arn:${partition}:iam::${account}:policy/cdk-${qualifier}-permissions-boundary`,
},
},
Action: [
'iam:CreateUser',
'iam:CreateRole',
'iam:PutRolePermissionsBoundary',
'iam:PutUserPermissionsBoundary',
],
Resource: '*',
Effect: 'Allow',
Sid: 'DenyAccessIfRequiredPermBoundaryIsNotBeingApplied',
},
{
Action: [
'iam:CreatePolicyVersion',
'iam:DeletePolicy',
'iam:DeletePolicyVersion',
'iam:SetDefaultPolicyVersion',
],
Resource: `arn:${partition}:iam::${account}:policy/cdk-${qualifier}-permissions-boundary`,
Effect: 'Deny',
Sid: 'DenyPermBoundaryIAMPolicyAlteration',
},
{
Action: ['iam:DeleteUserPermissionsBoundary', 'iam:DeleteRolePermissionsBoundary'],
Resource: '*',
Effect: 'Deny',
Sid: 'DenyRemovalOfPermBoundaryFromAnyUserOrRole',
},
],
};
const request = {
PolicyName: policyName,
PolicyDocument: JSON.stringify(policyDoc),
};
const createPolicyResponse = await iam.createPolicy(request);
if (createPolicyResponse.Policy?.Arn) {
return createPolicyResponse.Policy.Arn;
} else {
throw new ToolkitError(`Could not retrieve the example permission boundary ${arn}!`);
}
}