terraform-aws-gitlab-runner icon indicating copy to clipboard operation
terraform-aws-gitlab-runner copied to clipboard

Published 20 hours ago verified publisher icon cattle-ops

Severe security vulnerability scanned by ScoutSuite on runner agent policy

Open narenaryan opened this issue 4 years ago • 13 comments
trafficstars

Hi,

We are using terraform-aws-gitlab-runnner to spin up GitLab runners on our AWS account. As part of security auditing, there was a severe alert raised on this policy created by terraform module: https://github.com/npalm/terraform-aws-gitlab-runner/blob/develop/policies/instance-docker-machine-policy.json#L21

The problem lies with permitting IamPassrole action on all resources. As per Access Advisor AWS, we can confirm that this action is not being used at all.

Therefore, can we remove this action from the policy to make the infrastructure more secure? If you think it should be fine, can I give a PR for that?

narenaryan avatar Sep 09 '21 06:09 narenaryan

Have you tried to remove this action and see what happens?

EDIT: Did it. Let's wait >24h and some hundred jobs and check what happens.

kayman-mk avatar Sep 30 '21 18:09 kayman-mk

@kayman-mk, functionality-wise, nothing happened on our side. Let us confirm from your run.

narenaryan avatar Oct 01 '21 08:10 narenaryan

I'd like to try it again on monday as I updated to 4.30.0 and removed the IamPassRole. I had some troubles with the agents not being able to create the runners. Might they need this policy to pass the role to the runner (not 100% sure what this policy is good for)?

kayman-mk avatar Oct 01 '21 12:10 kayman-mk

From the top of my head the IAM pass role is required on the agent instance to pass the role to the docker machine instances.

npalm avatar Oct 01 '21 14:10 npalm

@npalm, I think so too. Had some problems to get the runners started without the iam:PassRole policy.

May be we can limit this policy to the spcific role passed to the docker machine runner instance?

kayman-mk avatar Oct 04 '21 07:10 kayman-mk

@kayman-mk Sounds good to me to limit the passrole as much as possible. Seems you can limit the passrole for a specif resource, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

npalm avatar Oct 05 '21 20:10 npalm

@narenaryan As soon as the PR gets merged, could you please recheck? At least AWS Config is not complaining about the policy. And we can't simply remove it.

kayman-mk avatar Oct 06 '21 19:10 kayman-mk

@narenaryan Did you run your security check again? iam:PassRole has been limited to the role which is passed and no longer shows "*". This has been release with 4.31.1

kayman-mk avatar Oct 14 '21 12:10 kayman-mk

@narenaryan Did you had time to check the security issue?

npalm avatar Oct 19 '21 21:10 npalm

Hi @npalm, sorry for the delay, I am on vacation now. I will pass this to my team to get the role re-scanned.

narenaryan avatar Oct 22 '21 02:10 narenaryan

@narenaryan Any news here?

kayman-mk avatar Dec 28 '21 15:12 kayman-mk

@narenaryan Any news here or can the issue be closed?

kayman-mk avatar Aug 20 '22 14:08 kayman-mk

I won't be close to my laptop the next weeks, so no updates from me

npalm avatar Aug 20 '22 18:08 npalm

Closed due to missing feedback. Should have been fixed some months ago.

Please reopen the issue if still valid.

kayman-mk avatar Jan 08 '23 21:01 kayman-mk