Skip to content

✨ feat(multi-tenant): add dynamic IAM roles per tenant for isolated resource access #1193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

✨ feat(multi-tenant): add dynamic IAM roles per tenant for isolated resource access #1193

wants to merge 10 commits into from

Conversation

ito-haruto24-fixer
Copy link

Summary

  • Implements dynamic IAM role creation and assumption for multi-tenant isolation
  • Adds tenant context throughout the authentication and data access layers
  • Provides strong security boundaries between tenants using AWS IAM

Key Features

1. Tenant Context in Authentication

  • Added custom tenantId attribute to Cognito User Pool
  • Updated user pool client to read tenant attributes
  • Tenant ID flows through JWT tokens to Lambda functions

2. Dynamic IAM Role Management

  • Created TenantRole construct for defining tenant-specific IAM policies
  • Implemented TenantManager for dynamic role creation/deletion
  • Lambda function manages tenant roles via CloudFormation custom resources

3. Tenant-Aware Lambda Utilities

  • tenantAuth.ts: Extract tenant ID and assume tenant-specific roles
  • bedrockClientTenant.ts: Initialize Bedrock clients with tenant credentials
  • tenantDynamoDB.ts: DynamoDB operations with tenant-prefixed partition keys
  • tenantS3.ts: S3 operations with tenant-prefixed object keys

4. Resource Isolation Strategies

  • DynamoDB: Partition key prefixing (tenantId#recordId)
  • S3: Object key prefixing (tenants/{tenantId}/...)
  • Bedrock: Role-based access with request tagging
  • IAM: Condition-based policies enforcing tenant boundaries

5. Tenant Onboarding

  • Automated tenant provisioning via onboardTenant Lambda
  • Creates IAM role, Cognito group, and admin user
  • Sets up initial tenant resources and permissions

Architecture Benefits

  • Strong Isolation: IAM policies prevent cross-tenant access at AWS service level
  • Scalability: Dynamic role creation supports unlimited tenants
  • Auditability: All actions tagged with tenant ID for CloudTrail
  • Flexibility: Per-tenant resource limits and permissions

Migration Path

  1. Add tenant attributes to existing Cognito users
  2. Create IAM roles for existing tenants
  3. Update Lambda functions to use tenant-aware utilities
  4. Migrate data to include tenant prefixes
  5. Enable dynamic role assumption

Testing

  • Unit tests for tenant utility functions
  • Integration tests for role assumption flow
  • End-to-end tests for tenant isolation

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

muro-yuta24-fixer and others added 10 commits July 18, 2025 17:47
@muro-yuta24-fixer
🙈 ignore cdk.json
c094c4b
@hosoya-naoki20-fixer
Merge pull request #1 from fixer-github/feature/ignore-cdk-config
633b9a5 
chore: add `cdk.json` to `.gitignore`
@muro-yuta24-fixer
🍱 アイコンとロゴのファイルを追加
0957aad
@muro-yuta24-fixer
✨ faviconを変更
ec447c8
@muro-yuta24-fixer
🔥 古いfaviconを削除
41f5309
@muro-yuta24-fixer
💄 GaiXerのロゴを表示するようにした
6177e0a
@hosoya-naoki20-fixer
Merge pull request #2 from fixer-github/feature/replace-logo-with-fixer
7ad5ce8 
💄 faviconとロゴを変更
@muro-yuta24-fixer
✨ ページのタイトルをGaiXerに変更
0a4ac36
@hosoya-naoki20-fixer
Merge pull request #3 from fixer-github/feature/change-page-title-to-…
e567f2a 
…gaixer

✨ ページのタイトルを`GaiXer`に変更
@ito-haruto24-fixer
✨ feat(multi-tenant): implement dynamic IAM roles per tenant for isol…
b07304a 
…ated resource access

- Add tenant context to Cognito authentication with custom tenantId attribute
- Create CDK constructs for managing per-tenant IAM roles dynamically
- Implement tenant-aware Lambda utilities for role assumption
- Add DynamoDB helpers with tenant-based partition key isolation
- Implement S3 utilities with prefix-based tenant isolation
- Create tenant onboarding automation for new tenant setup
- Add comprehensive multi-tenant CDK stack example

This implementation provides strong tenant isolation using dynamic IAM roles,
ensuring each tenant can only access their own resources through AWS IAM
policies enforced at the service level.
@ito-haruto24-fixer ito-haruto24-fixer deleted the feature/dynamic-iam-roles-per-tenant branch July 24, 2025 08:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ito-haruto24-fixer @muro-yuta24-fixer @hosoya-naoki20-fixer