microapps-deployer - Cross account invoke auth for additional IAM roles
huntharo opened this issue · 1 comments
huntharo commented
Motivations
- When integrating MicroApps into an existing Lambda @ Edge function, there is not an ability to change the IAM Role of the existing Lambda to the role that is created and authorized for MicroApps cross-account invokes
- Will need a procedure to apply an additional Role to all existing app aliases
To-Do
- Investigate if we can use OrgID and any other attributes (e.g. calling account id or tags on calling role) to restrict this as it will make this more durable and easier to manage
- Parent account deployer should expose a method that returns the list of IAM roles that should be added to child account Lambdas - This way the child accounts do not need to have a denormalized list of roles, so adding a role requires updating only the parent account config
- The parent account deployer needs the ability to invoke the child account deployers so it can apply changes to the permissions in the child accounts
- The parent account deployer needs a procedure / request that will loop through all DynamoDB records of active lambda apps and update the permissions on those lambdas in their child accounts