Skip to content

Commit 9969f0e

Browse files
samanthajayasinghesamanthajayasinghe
committed
[SREP-1313] feat : Update isolation workflow to enforce policy Arn from backplane-api assume-role-sequence endpoint
1 parent acf0385 commit 9969f0e

File tree

4 files changed

+1087
-8
lines changed

4 files changed

+1087
-8
lines changed

cmd/ocm-backplane/cloud/common.go

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818
"github.com/aws/aws-sdk-go-v2/aws/arn"
1919
"github.com/aws/aws-sdk-go-v2/credentials"
2020
"github.com/aws/aws-sdk-go-v2/service/sts"
21+
"github.com/aws/aws-sdk-go-v2/service/sts/types"
2122
ocmsdk "github.com/openshift-online/ocm-sdk-go"
2223
cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
2324
BackplaneApi "github.com/openshift/backplane-api/pkg/client"
@@ -211,6 +212,8 @@ func (cfg *QueryConfig) getCloudCredentialsFromBackplaneAPI(ocmToken string) (bp
211212
type assumeChainResponse struct {
212213
AssumptionSequence []namedRoleArn `json:"assumptionSequence"`
213214
CustomerRoleSessionName string `json:"customerRoleSessionName"`
215+
// SessionPolicyArn is the ARN of the session policy
216+
SessionPolicyArn string `json:"sessionPolicyArn"`
214217
}
215218

216219
type namedRoleArn struct {
@@ -319,6 +322,24 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
319322
} else {
320323
roleArnSession.RoleSessionName = email
321324
}
325+
// Default to no policy ARNs
326+
roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
327+
if namedRoleArnEntry.Name == CustomerRoleArnName {
328+
roleArnSession.IsCustomerRole = true
329+
// Add the session policy ARN for selected roles
330+
if roleChainResponse.SessionPolicyArn != "" {
331+
logger.Debugf("Adding session policy ARN for role %s: %s", namedRoleArnEntry.Name, roleChainResponse.SessionPolicyArn)
332+
roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
333+
{
334+
Arn: aws.String(roleChainResponse.SessionPolicyArn),
335+
},
336+
}
337+
}
338+
} else {
339+
roleArnSession.IsCustomerRole = false
340+
}
341+
roleArnSession.Name = namedRoleArnEntry.Name
342+
322343
assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
323344
}
324345

@@ -471,7 +492,7 @@ func isIsolatedBackplaneAccess(cluster *cmv1.Cluster, ocmConnection *ocmsdk.Conn
471492
if strings.HasSuffix(baseDomain, "devshiftusgov.com") || strings.HasSuffix(baseDomain, "openshiftusgov.com") {
472493
return false, nil
473494
}
474-
495+
475496
if cluster.Hypershift().Enabled() {
476497
return true, nil
477498
}

0 commit comments

Comments
 (0)