aws-iam: Add description to AccessKey #27687
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
needs-cfn
This issue is waiting on changes to CloudFormation before it can be addressed.
p2
Comments
themnd
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-iam
|
IAM Access Key doesn't have a https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-accesskey.html |
cgarvis
changed the title
khushail
added
response-requested
|
yeah, I later saw that from cloud formation you cannot update the description but from the GUI you can:
I obfuscated the access key name, you can see from the menu on the right that there is an edit description, that's what we use to add a description. |
github-actions
bot
removed
the
response-requested
|
@themnd I recommend opening in issue an cloudformation-coverage-roadmap to get this added to CFN first. |
|
As a workaround, you can use a custom resource to accomplish this: const user = new iam.User(this, 'User');
const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
const description = "This is the key description";
new cr.AwsCustomResource(this, 'AccessKeyDesc', {
onUpdate: {
service: 'IAM',
action: 'TagUser',
parameters: {
UserName: user.userName,
Tags: [
{
Key: accessKey.accessKeyId,
Value: description
}
]
},
physicalResourceId: cr.PhysicalResourceId.of(accessKey.accessKeyId)
},
onDelete: {
service: 'IAM',
action: 'UntagUser',
parameters: {
UserName: user.userName,
TagKeys: [accessKey.accessKeyId]
}
},
policy: cr.AwsCustomResourcePolicy.fromStatements([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['iam:TagUser', 'iam:UntagUser'],
resources: [user.userArn],
conditions: {
'ForAllValues:StringEquals': {
'aws:TagKeys': [accessKey.accessKeyId],
}
}
})
]),
}); |
|
@kylelaker you are right but this creates extra resources just to add a description: it is not worth it. This is the translated java version: final Map<String, Object> tag = Maps
.builder()
.put("UserName", user.getUserName())
.put("Tags", Lists
.<Map<String, String>>builder()
.add(Maps
.<String>builder()
.put("Key", key.getAccessKeyId())
.put("Value", String.format("Key used to access %s", s3.getBucketName()))
.build())
.build())
.build();
AwsCustomResource.Builder
.create(this, userName + "-key-desc")
.onUpdate(AwsSdkCall
.builder()
.service("IAM")
.action("TagUser")
.parameters(tag)
.physicalResourceId(PhysicalResourceId.of(key.getAccessKeyId()))
.build())
.policy(AwsCustomResourcePolicy.fromStatements(
list(PolicyStatement.Builder
.create()
.effect(Effect.ALLOW)
.actions(Arrays.asList("iam:TagUser", "iam:UntagUser"))
.resources(list(user.getUserArn()))
.conditions(Maps
.builder()
.put("ForAllValues:StringEquals", Maps
.builder()
.put("aws:TagKeys", Lists
.<String>builder()
.add(key.getAccessKeyId())
.build())
.build())
.build())
.build())
))
.removalPolicy(RemovalPolicy.DESTROY)
.build(); |
khushail
added
p2
effort/medium
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
Add the ability to setup accessKey description
Use Case
In our stack we generate the accessKey for an IAM user and we would like to add a description of why that access key has been generated in the access key description, we already did this manually.
Proposed Solution
method description does not exists.
Other Information
Acknowledgements
CDK version used
2.102.0 (build 2abc59a)
Environment details (OS name and version, etc.)
mac os x
The text was updated successfully, but these errors were encountered: