Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(aws-sqs): improvements to IAM grants API #1052

Merged
merged 2 commits into from
Nov 1, 2018
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
feat(aws-sqs): improvements to IAM grants API
Moved `grantXxx` methods from `Queue` to `QueueRef`, so they can now be
performed on imported queues.

Added commonly needed permissions to `grantConsumeMessages` and
`grantSendMessages` such as `sqs:GetQueueAttributes`, `sqs:GetQueueUrl`
and the various `sqs:xxxBatch` actions.

Added support for adding arbitrary actions to each of the grant methods.

Exposed `queue.grant(...actions)` as a general purpose grant method
which allows users to customize the set of actions for this specific 
resource/principal pair.

BREAKING CHANGE: `queue.grantReceiveMessages` has been removed. It is unlikely that this would be
sufficient to interact with a queue. Alternatively you can use `queue.grantConsumeMessages` or 
`queue.grant('sqs:ReceiveMessage')` if there's a need to only grant this action.
  • Loading branch information
Elad Ben-Israel committed Oct 31, 2018
commit 51cd486cfd007d2c69c1dc710d95dfb7b08ffda2
12 changes: 0 additions & 12 deletions packages/@aws-cdk/aws-sqs/lib/perms.ts

This file was deleted.

87 changes: 87 additions & 0 deletions packages/@aws-cdk/aws-sqs/lib/queue-ref.ts
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,93 @@ export abstract class QueueRef extends cdk.Construct implements s3n.IBucketNotif
dependencies: [ this.policy! ]
};
}

/**
* Grant permissions to consume messages from a queue
*
* This will grant the following permissions:
*
* - sqs:ChangeMessageVisibility
* - sqs:ChangeMessageVisibilityBatch
* - sqs:DeleteMessage
* - sqs:ReceiveMessage
* - sqs:DeleteMessageBatch
* - sqs:GetQueueAttributes
* - sqs:GetQueueUrl
*
* @param identity Principal to grant consume rights to
* @param queueActions additional queue actions to allow
*/
public grantConsumeMessages(identity?: iam.IPrincipal, ...queueActions: string[]) {
eladb marked this conversation as resolved.
Show resolved Hide resolved
this.grant(identity,
'sqs:ReceiveMessage',
'sqs:ChangeMessageVisibility',
'sqs:ChangeMessageVisibilityBatch',
'sqs:GetQueueUrl',
'sqs:DeleteMessage',
'sqs:DeleteMessageBatch',
'sqs:GetQueueAttributes',
...queueActions);
}

/**
* Grant access to send messages to a queue to the given identity.
*
* This will grant the following permissions:
*
* - sqs:SendMessage
* - sqs:SendMessageBatch
* - sqs:GetQueueAttributes
* - sqs:GetQueueUrl
*
* @param identity Principal to grant send rights to
* @param queueActions additional queue actions to allow
*/
public grantSendMessages(identity?: iam.IPrincipal, ...queueActions: string[]) {
this.grant(identity,
'sqs:SendMessage',
'sqs:SendMessageBatch',
'sqs:GetQueueAttributes',
'sqs:GetQueueUrl',
...queueActions);
}

/**
* Grant an IAM principal permissions to purge all messages from the queue.
*
* This will grant the following permissions:
*
* - sqs:PurgeQueue
* - sqs:GetQueueAttributes
* - sqs:GetQueueUrl
*
* @param identity Principal to grant send rights to
* @param queueActions additional queue actions to allow
*/
public grantPurge(identity?: iam.IPrincipal, ...queueActions: string[]) {
this.grant(identity,
'sqs:PurgeQueue',
'sqs:GetQueueAttributes',
'sqs:GetQueueUrl',
...queueActions);
}

/**
* Grant the actions defined in queueActions to the identity Principal given
* on this SQS queue resource.
*
* @param identity Principal to grant right to
* @param queueActions The actions to grant
*/
public grant(identity?: iam.IPrincipal, ...queueActions: string[]) {
if (!identity) {
return;
}

identity.addToPolicy(new iam.PolicyStatement()
.addResource(this.queueArn)
.addActions(...queueActions));
}
}

/**
Expand Down
60 changes: 0 additions & 60 deletions packages/@aws-cdk/aws-sqs/lib/queue.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
import iam = require('@aws-cdk/aws-iam');
import kms = require('@aws-cdk/aws-kms');
import cdk = require('@aws-cdk/cdk');
import perms = require('./perms');
import { QueueRef } from './queue-ref';
import { cloudformation } from './sqs.generated';
import { validateProps } from './validate-props';
Expand Down Expand Up @@ -277,64 +275,6 @@ export class Queue extends QueueRef {
}
}

/**
* Grant permissions to consume messages from a queue
*
* This will grant the following permissions:
*
* - sqs:ChangeMessageVisibility
* - sqs:DeleteMessage
* - sqs:ReceiveMessage
*
* @param identity Principal to grant consume rights to
*/
public grantConsumeMessages(identity?: iam.IPrincipal) {
this.grant(identity, perms.QUEUE_GET_ACTIONS.concat(perms.QUEUE_CONSUME_ACTIONS));
}

/**
* Grant access to receive messages from a queue to
* the given identity.
*
* This will grant sqs:ReceiveMessage
*
* @param identity Principal to grant receive rights to
*/
public grantReceiveMessages(identity?: iam.IPrincipal) {
this.grant(identity, perms.QUEUE_GET_ACTIONS);
}

/**
* Grant access to send messages to a queue to the
* given identity.
*
* This will grant sqs:SendMessage
*
* @param identity Principal to grant send rights to
*/
public grantSendMessages(identity?: iam.IPrincipal) {
this.grant(identity, perms.QUEUE_PUT_ACTIONS);
}

/**
* Grant the actions defined in queueActions
* to the identity Principal given.
*
* @param identity Principal to grant right to
* @param queueActions The actions to grant
*/
private grant(identity: iam.IPrincipal | undefined,
queueActions: string[]) {

if (!identity) {
return;
}

identity.addToPolicy(new iam.PolicyStatement()
.addResource(this.queueArn)
.addActions(...queueActions));
}

/**
* Look at the props, see if the FIFO props agree, and return the correct subset of props
*/
Expand Down
Loading