New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws - session policy support via cli #9416
Merged
Merged
+197
−4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kapilt
reviewed
Apr 16, 2024
PratMis
commented
Apr 24, 2024
PratMis
commented
May 7, 2024
tests/data/placebo/test_assumed_session_session_policy/sts.AssumeRole_1.json
Outdated
Show resolved
Hide resolved
@kapilt , whenever you get a chance can i get one more review please? |
PratMis
force-pushed
the
aws/cli@session-policy
branch
from
May 10, 2024 00:39
9d506b4
to
fc109e5
Compare
PratMis
force-pushed
the
aws/cli@session-policy
branch
from
May 13, 2024 15:40
b815670
to
0cb6be9
Compare
PratMis
changed the title
aws - session policy support via custodian cli
aws - session policy support via cli
May 16, 2024
kapilt
reviewed
May 17, 2024
kapilt
approved these changes
May 20, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #9404
Took a stab at it and this is an initial draft. I can go ahead and add tests etc. However, have a few open questions from a design perspective
Tested with a bad json policy and the traceback received was
botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the AssumeRole operation: Syntax errors in policy.
I also tested it with a good session policy.
[update] - This PR supports passing in a session policy json document alongside assume role. When used, it will only allow a subset of permissions on the role assumed. The goal is to allow stakeholder use specific actions depending on what they feel comfortable with vs opening up the full role