By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CDK multiregion and replicated lambda IAM roles

0

Hello everybody,

we currently have many lambdas, spawn across multiple gitlab projects (each with its own pipeline). The "cdk deploy" stage of these pipelines execute usually in parallel on different regions, by issuing "cdk deploy -c region=regionA...", another runs for regionB and so on. Every lambda takes with it its own execution role, for least privilege principle. Some of them, moreover, carry also another role, assumed during execution, to enforce tenant isolation via tags on the assumed role.

We are deploying many of these lambdas in five different regions. Each time we open a new region, lots of similar (if not equal) IAM roles are created to execute our lambdas. Since we have already asked for an increase from 1000 to 2000 roles in our account, and the hard limit of 5000 is not so far, what would you suggest to be be the best approach?

We are thinking about aggregating similar role into a single one, and then reference it throughout the other lambdas (maybe saving its arn into SSM in a single region and then creating custom resources to retrieve it), but this would require quite some work of refactoring, and custom resource gave us lots of headaches in the past.

Any other suggestion or idea would be much appreciated.

Topics
ServerlessComputeSecurity, Identity, & ComplianceAWS Cloud Development Kit (CDK)
Tags
AWS LambdaAWS IAM Identity CenterAWS Cloud Development Kit (CDK)
Language
English
spallicca
asked 6 months ago189 views
1 Answer
1
Accepted Answer

Hi,

AFAIK, IAM is a global service, whose objects are valid for all regions. As a consequence, region name is not part of the ARN.

But, as you say, the quota is global. So, if you multiply roles that are strictly identical in credentials but different in name, you will certainly reach the hard limit rapidly.

So, you should create roles only based on different credentials they grant and avoid creating multiple roles granting same credentials.

What are getting some many roles: is it in the way that CDK is used?

The optimal way to use CDK in this situation is to create the role 100% independently from the Lambdas (i.e. before them) and then trust the lambdas for the existing roles when they get created,

This reduced number of roles will also improve the management of your security: less objects and clear view on Lambdas with same auts.

Going this way should not create to much work: it will just change require create a mapping function between the roles and the lambdas.

Note: IAM global objects replicate asynchronously across regions. So, you may want to split your current CDK in distinct projets for the roles and for the lambdas. Then, you should deploy roles once from a central region and give them time to propagate before you deploy lambdas in each region.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content