feat(plugins): implement AliCloud RAM plugin #190
Conversation
…187) * feat(plugins,domain): Implement MVP for Alicloud IAM plugin * feat(plugins,domain): Implement MVP for Alicloud IAM plugin patch * feat(plugins,domain): Implement Alicloud IAM plugin to dummy branch patch 2 * feat(plugins,domain): Implement Alicloud IAM plugin to dummy branch patch 3 * feat(plugins,domain): Implement Alicloud IAM plugin to dummy branch patch 4 * feat(plugins,domain): Implement Alicloud IAM plugin to dummy branch patch 5 * feat(plugins,domain): Implement Alicloud IAM plugin to dummy branch patch 6 * feat(plugins,domain): Implement Alicloud IAM plugin to dummy branch patch 7
anjali9791
requested review from
rahmatrhd,
Gadigeppa-J,
StewartJingga and
anjali9791
This occur because AliCloud SDK is using builder pattern when receiving and sending request to their own API. Because of this, we need to create a new client each time we invoking a request.
bearaujus
changed the title
| return nil | ||
| } | ||
|
|
||
| type Permission struct { |
There was a problem hiding this comment.
since the list of permissions are going to be stored in the appeals, and grants db, this has to implement .String() method as well, you can take reference from our existing tableau plugin here
guardian/plugins/providers/tableau/config.go
Lines 66 to 88 in df093f6
There was a problem hiding this comment.
Hi pak @rahmatrhd .. After validating the changes using this method. I think String() is not triggered
// This image is example policy on my local
But when I using my old method it was working fine.
There was a problem hiding this comment.
[TESTED] the String() string is not triggered. So I will remove this function 🙏
|
Hi pak @rahmatrhd, I have already done working with the comments, please kindly help to review again. |
bearaujus
changed the title
Testing
Ram Account
RAM Role
Requirements For Each Provider
Standalone RAM Account
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ram:ListPolicies", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:AttachPolicyToUser", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:DetachPolicyFromUser", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:AttachPolicyToRole", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:DetachPolicyFromRole", "Resource": "*" } ] }Controller RAM Account
{ "Version": "1", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": "*" } ] }Role That Will Be Assumed by Controller RAM Account
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": [ "acs:ram::{CONTROLLER_MAIN_ACCOUNT_ID}:root" ] } } ], "Version": "1" }{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ram:ListPolicies", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:AttachPolicyToUser", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:DetachPolicyFromUser", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:AttachPolicyToRole", "Resource": "*" }, { "Effect": "Allow", "Action": "ram:DetachPolicyFromRole", "Resource": "*" } ] }Standard For Each Provider Creation
For Standalone Provider
{ "type": "alicloud_ram", "urn": "al-xxxx-id-x:500xxxxxxxxxxxxx", // using self main account id "allowed_account_types": [ "ramUser", "ramRole" ], "credentials": { "main_account_id": "500xxxxxxxxxxxxx", // using self main account id "access_key_id": "access_key_id (in base64)", "access_key_secret": "access_key_secret (in base64)", }, "appeal": { "allow_permanent_access": false, "allow_active_access_extension_in": "336h" }, "resources": [ { "type": "account", "policy": { "id": "alicloud_account_policy", "version": 1 }, "roles": [ { "id": "sample-role", "name": "Sample Role", "description": "Description for Sample Role", "permissions": [ { "name": "AliyunOSSReadOnlyAccess", "type": "System" }, { "name": "AliyunOSSFullAccess", "type": "System" }, { "name": "AliyunECSFullAccess", "type": "System" } ] }, { "id": "sample-role-2", "name": "Sample Role 2", "description": "Description for Sample Role 2", "permissions": [ { "name": "AliyunCloudMonitorFullAccess", "type": "System" } ] } ] } ] }For CROSS Provider
{ "type": "alicloud_ram", "urn": "al-xxxx-id-x:501xxxxxxxxxxxxx", // using role main account id "allowed_account_types": [ "ramUser", "ramRole" ], "credentials": { "main_account_id": "501xxxxxxxxxxxxx", // using role main account id "access_key_id": "access_key_id (in base64)", "access_key_secret": "access_key_secret (in base64)", "ram_role": "acs:ram::501xxxxxxxxxxxxx:role/role-name" // using role main account id }, "appeal": { "allow_permanent_access": false, "allow_active_access_extension_in": "336h" }, "resources": [ { "type": "account", "policy": { "id": "alicloud_account_policy", "version": 1 }, "roles": [ { "id": "sample-role", "name": "Sample Role", "description": "Description for Sample Role", "permissions": [ { "name": "AliyunOSSReadOnlyAccess", "type": "System" }, { "name": "AliyunOSSFullAccess", "type": "System" }, { "name": "AliyunECSFullAccess", "type": "System" } ] }, { "id": "sample-role-2", "name": "Sample Role 2", "description": "Description for Sample Role 2", "permissions": [ { "name": "AliyunCloudMonitorFullAccess", "type": "System" } ] } ] } ] }Example Requests
Create Appeal For RAM Account
{ "resources": [ { "id": "{{RESOURCE_ID}}", "role": "sample-role", "options": { "duration": "1h" }, "details": { "questions": { "What is the purpose of getting access to this role?": "Test" } } } ], "account_id": "example.user@500xxxxxxxxxxxxx.onaliyun.com", "account_type": "ram_user" }Create Appeal For RAM Role
{ "resources": [ { "id": "{{RESOURCE_ID}}", "role": "sample-role", "options": { "duration": "1h" }, "details": { "questions": { "What is the purpose of getting access to this role?": "Test" } } } ], "account_id": "role-name", "account_type": "ram_role" }