-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permit non-prefix matching for bound_iam_role_arn #3261
Comments
Relevant matching code is here: vault/builtin/credential/aws/path_login.go Line 485 in a4f4e5b
|
Hi @pfhayes -- thinking super tactically, if you want to bind to the exact IAM role ARN, then you could just use the More broadly, I largely agree with your sentiment, and I think it would have been better to have made the prefix matching something users explicitly opt in to, e.g., by adding a wildcard at the end, which is how it'll work in 0.8.2 with the
If you can't get by with just using |
I feel ambiguous about all of those options. Not that they're bad, just that I see the pros and cons of each and am not sure. For the moment I'd like to see if your suggestion works for the OP and we can kick this down the road...unless you really feel like tackling this is a worthwhile thing anyways. |
Any of these solutions would work for me... to be honest the easiest thing to do on my end is just rename the roles :) Overall the prefix matching seems like quite a "gotcha" that could result in exposing permissions that users may not be aware of. I only noticed it incidentally while consulting the docs for something else. Furthermore someone might create a new IAM role whose name is a prefix of another and silently take on this behavior. for the benefit of those future users the autoupgrade solution seems the safest to me |
Hey @pfhayes -- just to be explicit, when you say that any of these solutions would work for you, does that also include using the iam auth type and switching to using
I totally agree, or somebody might create a role for which another role's name is a prefix and accidentally add access. But I'm also sympathetic with @jefferai's desire to kick the can down the road; it's not clear to me that transition cost is worth it. |
I didn't actually attempt switching to IAM. Switching to a new auth type seemed burdensome enough that I just renamed the roles |
@pfhayes Unless you really don't want ec2 inferencing, you're generally better off using the IAM method as you don't need to deal with whitelists and nonces. |
Was thinking about this while working on #3907 -- that PR introduces some backwards incompatibilities; if we're already biting the bullet of backwards-incompatible changes, it might make sense to do option 1 above and add another small incompatibility to the mix. The explicit role versioning I included in #3907 should make the internal upgrade path much more straightforward as well. Thoughts @jefferai? |
@joelthompson SGTM |
Feature Request:
Currently
bound_iam_role_arn
(andbound_iam_instance_profile_arn
) is validated by prefix matching, but we would like it to be an exact match because some roles may be prefixes of othersWould this be desirable? I'm happy to make a PR, but what would be the best way for this to manifest? As a new parameter on the Create Role endpoint that opts in to exact matching?
Environment:
The text was updated successfully, but these errors were encountered: