Skip to content

fix(eks): overly permissive trust policies #25580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 16, 2023
Merged

fix(eks): overly permissive trust policies #25580

merged 8 commits into from
May 16, 2023
+20,108 −23,247

Conversation

iliapolo
Copy link
Contributor

@iliapolo iliapolo commented May 14, 2023
edited
Loading

Backporting #25473

The CreationRole and the default MastersRole use the account root principal in their trust policy, which is overly permissive. Instead, use the specific lambda handler roles that need it, and remove the default masters role.

BREAKING CHANGE: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented May 14, 2023

@github-actions github-actions bot added the p2 label May 14, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team May 14, 2023 18:22
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label May 14, 2023
iliapolo added 7 commits May 14, 2023 22:27
@iliapolo
remove unused import
e46aee7
@iliapolo
fix unit tests
564fae8
@iliapolo
remove debug
fb666b2
@iliapolo
snapshots
80f6158
@iliapolo
snapshots
582539b
@iliapolo
snapshots
3afdda4
@iliapolo
Merge branch 'v1-main' into epolon/v1-eks-creation-role-trust-policy

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
0cd0cb8
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 0cd0cb8
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@iliapolo iliapolo marked this pull request as ready for review May 16, 2023 06:10
@mergify
Copy link
Contributor

mergify bot commented May 16, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 0251d9a into v1-main May 16, 2023
@mergify mergify bot deleted the epolon/v1-eks-creation-role-trust-policy branch May 16, 2023 07:26
@iliapolo iliapolo mentioned this pull request May 22, 2023
Closed
@iliapolo iliapolo mentioned this pull request Jun 14, 2023
Merged
mergify bot pushed a commit that referenced this pull request Jun 14, 2023
@iliapolo
chore(eks): masters role docs (#25977)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
8ea3599 
The docs weren't appropriately changed after #25580

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@stackspotadmin stackspotadmin mentioned this pull request Feb 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rix0rrr rix0rrr

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@iliapolo @aws-cdk-automation @rix0rrr