LogoLogo
  • Welcome to Release
  • Getting started
    • Quickstart
    • Create an account
    • Prepare to use Release
    • Create an application
      • Create custom application
      • Create from template
      • Servers vs runnables
    • Create an environment
  • Guides and examples
    • Domains and DNS
      • Manage domains
      • DNS and nameservers
        • Configure GoDaddy
        • Configure Cloudflare
        • Configure Namecheap
        • Other DNS hosts
      • Routing traffic
    • Example applications
      • Full stack voting app
      • Flask and RDS counter app
      • Static site with Gatsby
      • Golang with Postgres and Nginx
      • WordPress with MySQL
      • Spring and PostgreSQL
      • Terraform and Flask
      • OpenTelemetry demo
      • Load balancer with hostname
      • Static JavaScript service
      • SSH bastion access to services
      • ngrok and OAuth for private tunnels
      • Using OAuth Proxy
      • Hybrid Docker and static site
      • App Imports: Connecting two applications
      • Example library
    • Running instances
      • Cron jobs
      • Jobs
      • Using Helm charts
      • Using terminal
      • Viewing logs
      • Troubleshooting
        • ImagePullBackoff error
        • CrashLoopBackoff error
        • Exit codes
        • OOM: out of memory
    • Advanced guides
      • Containers guide
      • Application guide
      • Kubernetes guide
      • Create a cluster
      • Upgrade a cluster
      • Managing node groups
      • Patch node groups
      • Hostnames and rules
      • Serve traffic on multiple ports
      • Configure access to your K8s cluster
      • Designing for multiple environments
      • Microservices architecture
      • Monitoring your clusters
      • Performance tuning
      • Visibility and monitoring
      • Working with data
        • Container-based data
        • Seeding and migration
        • Cloud-provided data
        • Golden images
        • Third party
      • Pausing Instant Datasets
        • Application pausing schedules
        • Pause/resume environments
      • Infrastructure as code
        • Terraform
  • Reference documentation
    • Account settings
      • Account info
      • Managing users
      • Build settings
        • Build arguments
        • Build SSH keys
      • Add integrations
      • View clusters and cloud integrations
      • Add datasets
      • Environment handles
    • Workflows in Release
      • Stages of workflows
      • Serial deployments
      • Parallel deployments
      • Rolling deployments
      • Rainbow deployments
    • Networking
      • Network architecture (AWS)
      • Network architecture (GCP)
      • Ingresses
      • IP addresses
      • Cloud-provided services
      • Third-party services
    • Release environment versioning
    • Application settings
      • Application Template
        • Schema definition
      • Default environment variables
      • GitHub
      • Pull requests
      • GitOps
      • Just-in-time file mounts
      • Primary App Link
      • Create application FAQ
      • App-level build arguments
      • Parameters
      • Workspaces
    • End-to-end testing
    • Environment settings
      • Environment configuration
      • Environment variables
        • Environment variable mappings
        • Secrets vaults
        • Using Secrets with GitOps
        • Kubernetes Secrets as environment variables
        • Managing legacy Release Secrets
    • Environment expiration
    • Environment presets
    • Instant datasets on AWS
    • Instant datasets on GCP
    • Instant dataset tasks
      • Tonic Cloud
      • Tonic On-Premise
    • Cloud resources
    • Static service deployment
    • Helm
      • Getting started
      • Version-controlled Helm charts
      • Open-source charts
      • Building Docker images
      • Ingress and networking
      • Configuration
    • GitOps
    • The .release.yaml file
    • Docker Compose conversion support
    • Reference examples
      • Adding and removing services
      • Managing service resources
      • Adding database containers to the Application Template
      • Stock Off-The-Shelf Examples
    • Release API
      • Account Authentication
      • Environments API
        • Create
        • Get
        • Setup
        • Patch
      • User Authentication
      • Environment Presets API
        • Get Environment Preset List
        • Get Environment Preset
        • Put Environment Preset
  • Background concepts
    • How Release works
  • Frequently asked questions
    • Release FAQ
    • AWS FAQ
    • Docker FAQ
    • JavaScript FAQ
  • Integrations
    • Integrations overview
      • Artifactory integration
      • Cloud integrations (AWS)
        • AWS guides
        • Grant access to AWS resources
        • AWS how to increase EIP quota
        • Control your EKS fleet with systems manager
        • Managing STS access
        • AWS Permissions Boundaries
        • Private ECR Repositories
        • Using an Existing AWS VPC
        • Using an Existing EKS Cluster
      • Docker Hub integration
      • LaunchDarkly integration
      • Private registries
      • Slack integration
      • Cloud integrations (GCP)
        • GCP Permissions Boundary
      • Datadog Agent
      • Doppler Secrets Manager
      • AWS Secrets Management
    • Source control integrations
      • GitHub
        • Pull request comments
        • Pull request labels
        • GitHub deployments
        • GitHub statuses
        • Remove GitHub integration
      • Bitbucket
      • GitLab
    • Monitoring and logging add-ons
      • Datadog
      • New Relic
      • ELK (Elasticsearch, Logstash, and Kibana)
  • Release Delivery
    • Create new customer integration
    • Delivery guide
    • Release to customer account access controls
    • Delivery FAQs
  • Release Instant Datasets
    • Introduction
    • Quickstart
    • Security
      • AWS Instant Dataset security
    • FAQ
    • API
  • CLI
    • Getting started
    • Installation
    • Configuration
    • CLI usage example
    • Remote development environments
    • Command reference
      • release accounts
        • release accounts list
        • release accounts select
      • release ai
        • release ai chat
        • release ai config-delete
        • release ai config-init
        • release ai config-select
        • release ai config-upsert
      • release apps
        • release apps list
        • release apps select
      • release auth
        • release auth login
        • release auth logout
      • release builds
        • release builds create
      • release clusters
        • release clusters exec
        • release clusters kubeconfig
        • release clusters shell
      • release datasets
        • release datasets list
        • release datasets refresh
      • release deploys
        • release deploys create
        • release deploys list
      • release development
        • release development logs
        • release development start
      • release environments
        • release environments config-get
        • release environments config-set
        • release environments create
        • release environments delete
        • release environments get
        • release environments list
        • release environments vars-get
      • release gitops
        • release gitops init
        • release gitops validate
      • release instances
        • release instances exec
        • release instances logs
        • release instances terminal
  • Release.ai
    • Release.ai Introduction
    • Getting Started
    • Release.ai Templates
    • Template Configuration Basics
    • Using GPU Resources
    • Custom Workflows
    • Fine Tuning LlamaX
    • Serving Inference
Powered by GitBook
On this page
  • Prerequisites
  • Creating a reduced permissions boundary policy

Was this helpful?

  1. Integrations
  2. Integrations overview
  3. Cloud integrations (AWS)

AWS Permissions Boundaries

How to restrict Release permissions for fine-grained control

PreviousManaging STS accessNextPrivate ECR Repositories

Last updated 1 year ago

Was this helpful?

Release has access to your AWS account to create and deploy infrastructure and code there. This gives Release sufficient permissions to spin up clusters, load balancers, RDS databases, and snapshots, configure DNS, and more. However, you may want to restrict the level of access Release is granted to your account.

AWS supports to restrict an IAM entity's access to services and resources in your account. A permissions boundary binds an access policy to a role or user that limits the permissions of the entity. For example, while Release's power user access allows it to request full access to all S3 buckets, you can apply a boundary policy that restricts Release's access to buckets with specific names or prefixes, or allows Release read-only permissions and not delete permissions.

You can apply a permissions boundary to Release's default console role. A permissions boundary will only restrict access to the subset of activities you define and will not impact the functionality of Release. During the course of normal operations, for example, it might not be necessary to provision any infrastructure or create DNS zones in the customer account—this level of access is only required during upgrades or when building a new cluster. In such a case, the normal day-to-day operations of the default Release role can be restricted by a permissions boundary, which can be temporarily expanded or removed when more access is required.

Prerequisites

These are the prerequisites for configuring and applying a permissions boundary:

  • A Release-provisioned cluster in your account or subaccount that you have access to.

  • The Release-created console role ARN in your account, which you'll find in the /release/ namespace in IAM. Here is an example: arn:aws:iam::99999999999:role/release/releasehub-integration-ConsoleRole-1ABCDE2345.

  • The Release-created CloudFormation stack ARN in your account, which you can find in the stacks listed in the region the CloudFormation stack was built (the default region is us-west-2, but you may have chosen a different region). Here is an example: arn:aws:cloudformation:us-west-2:9999999999:stack/releaseStack/1111-111-2222-2222222.

  • A suitable policy ARN that restricts Release's access to the services and resources you specify. You can find a starter template with the minimum permissions required for most use cases in your account under the /release/ namespace. The example we provide is similar to arn:aws:iam::99999999999:policy/release/releasehub-integration-ReleaseMinimalPolicy-1ABCDE2345.

  • Login credentials to either the AWS console or CLI.

Creating a reduced permissions boundary policy

Release provides a "Minimal Access Policy" that includes the standard access required for Release in the regular operations of deploying and updating code. This minimum-access policy may suit your needs as-is, and we recommend you start with it to test the permissions boundary.

You can create a policy from scratch, but it might be more convenient to use the provided policy as a template and remove permissions according to your needs.

You can also contact the Release support team to help you develop an access policy.

Note that by setting "Effect" to "Deny" or by removing the allowed reference, you will be restricting access with an implicit "Deny" for any privileges not listed in the policy. Use "Deny" policies to exclude resources and permissions precisely as detailed below.

For example, suppose the existing minimal-access policy is mostly suitable for your needs, but the permissions applied in the following stanza are too broad:

        {
            "Action": [
                "rds:Create*",
                "rds:DeleteDBCluster",
                "rds:DeleteDBInstance",
                "rds:ModifyDBCluster",
                "rds:ModifyDBInstance",
                "rds:ModifyDBClusterParameterGroup",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:StartDBCluster",
                "rds:StartDBInstance",
                "rds:StopDBCluster",
                "rds:StopDBInstance"
            ],
            "Resource": [
                "arn:aws:rds:*:999999999:cluster:*",
                "arn:aws:rds:*:999999999:cluster-pg:*",
                "arn:aws:rds:*:999999999:cluster-snapshot:*",
                "arn:aws:rds:*:999999999:db:*",
                "arn:aws:rds:*:999999999:pg:release-*",
                "arn:aws:rds:*:999999999:og:release-*",
                "arn:aws:rds:*:999999999:secgrp:release-*",
                "arn:aws:rds:*:999999999:snapshot:*",
                "arn:aws:rds:*:999999999:subgrp:*"
            ],
            "Effect": "Allow"
        }

This is the set of permissions that Release requests, but you can go ahead and restrict them with the following:

        {
            "Action": [
                "rds:DeleteDBCluster",
                "rds:DeleteDBInstance",
                "rds:ModifyDBCluster",
                "rds:ModifyDBInstance",
                "rds:ModifyDBClusterParameterGroup",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup"
            ],
            "Resource": [
                "arn:aws:rds:*:999999999:db:production-*"
            ],
            "Effect": "Deny"
        }

This code blocks Release from accessing databases with names prefixed with production-. Note that Release would still be able to use StartDBInstance with production databases, because the original policy permits that Action.

You can repeat this process for any services, APIs, actions, and resources. We recommend you share your policy with Release for review so that potential problems can be identified before they interrupt your deployments.

Using the AWS CloudFormation Console

Navigate to the AWS Cloudformation Console, find the Release-created stack in the region you created it, and click the Update button.

Whether you choose Replace current template or Use current template is up to you, but we recommend you update to the latest version of our template by downloading the newest S3 location.

DO NOT use the "Edit Template in Designer" option!

On the next page, add the ARN to the managed policy you will use as the permissions boundary. The defaults in the other fields don't need to be changed. Click Next.

The permissions boundary ARN is just a policy ARN, but it must be fully qualified as a complete ARN, not just the policy name or path.

Review all the tags, rollback policies, and so on. The settings here should not need any adjustment, but you can change them if you would like to. Click Next.

On the next page, review your edits, check the acknowledgement box, and click Update stack.

Using the CLI

Your account administrator or security team can set up the permissions boundary to update automatically. We don't provide the exact set-up steps here, but if the following example is not sufficient, get in touch with the Release support team.

Make sure you fill in the actual values for your account, not the example values shown below.

#!/bin/sh

AWS_PROFILE=production
AWS_REGION=us-west-2
CF_STACK_ARN="arn:aws:cloudformation:${AWS_REGION}:9999999999:stack/releaseStack/1111-111-2222-2222222"
BOUNDARY_ARN="arn:aws:iam::99999999999:policy/release/releasehub-integration-ReleaseMinimalPolicy-1ABCDE2345"

aws cloudformation update-stack --stack-name $CF_STACK_ARN \
    --template-url 'https://release-template.s3-us-west-2.amazonaws.com/integration.yml' \
    --no-use-previous-template \
    --parameters ParameterKey=AccountId,UsePreviousValue=true \
                 ParameterKey=ExternalId,UsePreviousValue=true \
                 ParameterKey=IntegrationUrl,UsePreviousValue=true \
                 ParameterKey=PermissionsBoundaryArn,ParameterValue=${BOUNDARY_ARN} \
    --capabilities CAPABILITY_IAM

Restoring Normal Permissions

To restore normal operations, use the provided "Minimal Access Policy" created by the CloudFormation template as the permissions boundary. If you need to allow elevated permissions, such as during cluster upgrades or when provisioning new clusters, you can remove the permissions boundary. Consult with the Release support team if you would like assistance with creating a policy that meets your specific needs.

Select Replace current template and Amazon S3 URL and enter in the "Amazon S3 URL" field. Click Next.

power user
permissions boundaries
https://release-template.s3-us-west-2.amazonaws.com/integration.yml
Update the Cloudformation stack
Replace the existing template
Fill in the permissions boundary policy ARN
Acknowledge the Notes, Review the Settings, and Update the Stack