Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws - session policy support via cli #9416

Merged
merged 28 commits into from May 20, 2024
Merged

aws - session policy support via cli #9416

merged 28 commits into from May 20, 2024
+197 −4

Conversation

PratMis
Copy link
Collaborator

@PratMis PratMis commented Apr 9, 2024
edited

Closes #9404
Took a stab at it and this is an initial draft. I can go ahead and add tests etc. However, have a few open questions from a design perspective

  1. The CLI in this setup will only allow a json file. Haven't added a step where the json is validated because AWS by default gives an error at the time of assume_role if the session policy json is a MalformedPolicyDocument
    Tested with a bad json policy and the traceback received was
    botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the AssumeRole operation: Syntax errors in policy.
  2. Is it worth allowing inline policies? Imo, it can get pretty messy
  3. We could potentially add a step for input validation re: whether the input is a json file or not?

I also tested it with a good session policy.

[update] - This PR supports passing in a session policy json document alongside assume role. When used, it will only allow a subset of permissions on the role assumed. The goal is to allow stakeholder use specific actions depending on what they feel comfortable with vs opening up the full role

PratMis
PratMis commented Apr 24, 2024
View reviewed changes
c7n/cli.py Show resolved Hide resolved
@PratMis PratMis marked this pull request as ready for review May 7, 2024 04:39
@PratMis
Copy link
Collaborator Author

PratMis commented May 9, 2024

@kapilt , whenever you get a chance can i get one more review please?

@PratMis PratMis changed the title aws - session policy support via custodian cli aws - session policy support via cli May 16, 2024
kapilt
kapilt reviewed May 17, 2024
View reviewed changes
c7n/cli.py Outdated Show resolved Hide resolved
kapilt
kapilt approved these changes May 20, 2024
View reviewed changes
Copy link
Collaborator

@kapilt kapilt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@kapilt kapilt merged commit 79c8ff7 into cloud-custodian:main May 20, 2024
22 checks passed
@PratMis PratMis deleted the aws/cli@session-policy branch May 20, 2024 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kapilt kapilt kapilt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Custodian PyCon 2024
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Leverage IAM session policies to extend custodian actions to users safely
2 participants
@PratMis @kapilt