Giter Site home page Giter Site logo

Comments (3)

kolanos avatar kolanos commented on July 28, 2024

@dgillman Thanks for reporting The CLI has a --role-name argument that allows the user to specify their own role. There's also an --aws-role-policy argument. Do these not address this situation?

from newrelic-lambda-cli.

dgillman avatar dgillman commented on July 28, 2024

@kolanos, thank you for the response. These options do not address the situation.

I cannot claim deep knowledge how the various roles and policies created by newrelic-lambda are used. But I have validated my concerns by exercising both options.

--role-name supplies a role to the stack created by ./newrelic_lambda_cli/templates/import-template.yaml. It is the role assumed by a "log ingestion" lambda. This is tangential to my issue/concern.

--aws-role-policy supplies a policy to the stack created by ./newrelic_lambda_cli/templates/nr-lambda-integration-role.yaml. That policy is attached to a role created for overall NewRelic integration. This is the policy I wish to control. I am forced to do so by security bureaucracy.

--aws-role-policy offers two options:

  1. I can omit it, and a universal read policy is granted to NewRelic integration (presumably processes within the NewRelic account which poll for data from my client's account). A universal read permission is not permitted under a "least privileges" security model and will be flatly rejected by my clients' Information Security department. It is a non-starter. I will be creating my own policy.

  2. I can supply an --aws-role-policy. In this case the argument I supply will be used as a name for a policy which the newrelic-lambda CLI creates. But because of the implementation, I will not be able to maintain or manage that policy using CloudFormation. Under the hood newrelic-lambda creates a CloudFormation stack. That stack will own the policy. CloudFormation will not allow me to create my own stack to manage the policy.

So, my proposal is that newrelic-lambda do less. Or at least I am proposing users have the option to choose to let it do less. I want a way to submit the name of a policy which I control instead of having it created for me. Though this level of automation is thoughtful, the drawback of not being able to use CloudFormation to manage the role is a problem.

from newrelic-lambda-cli.

kolanos avatar kolanos commented on July 28, 2024

@@dgillman We've released an update that includes this feature. Would be interested in your feedback.

from newrelic-lambda-cli.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.