Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for ARNs with paths. #103

Merged
merged 1 commit into from
Jun 22, 2018

Conversation

mattlandis
Copy link
Contributor

IAM ARNs can have paths (ex.
arn:aws:iam::123456789012:assumed-role/org/team/rolename/session). When
normalizing the assumed role the output only contained the first part of
the path after assumed-role.

This should fix #98 .

IAM ARNs can have paths (ex.
arn:aws:iam::123456789012:assumed-role/org/team/rolename/session).  When
normalizing the assumed role the output only contained the first part of
the path after assumed-role.

Signed-off-by: Matt Landis <matlan@amazon.com>
@christopherhein
Copy link
Member

👏 👏 👏 Nice work @mattlandis

@nckturner
Copy link
Contributor

Looks good to me.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 22, 2018
@nckturner nckturner merged commit 5232e35 into kubernetes-sigs:master Jun 22, 2018
Copy link
Contributor

@nckturner nckturner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jpb
Copy link

jpb commented Aug 29, 2018

Has anyone had success using IAM roles with paths with this fix? From what I've seen anecdotally, assumed roles do not encode the role's path in their ARN, and AWS documentation appears to confirm this:

Assumed role ARN format:

arn:${Partition}:iam::${Account}:assumed-role/${RoleName}/${RoleSessionName}

compared to the role ARN format:

arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}

@M00nF1sh
Copy link
Contributor

I have tested it works with some caveats:
suppose i have an role named arn:aws:iam::283511030707:role/dev/product/m00nf1sh, I need to configrue mapRoles with arn:aws:iam::283511030707:role/m00nf1sh instead of arn:aws:iam::283511030707:role/dev/product/m00nf1sh to make it work. (this can cause potential privilege escalation)

BTW, in the pr, parts[len(parts)] is the SessionName. should be parts[len(parts)-1] is the SessionName. and arn:aws:sts::123456789012:assumed-role/Org/Team/Admin/Session should be arn:aws:sts::123456789012:assumed-role/Admin/Session(since assumed-role doesn't contain path)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Error matching iam role when role uses a path
6 participants