binaryalert
binaryalert copied to clipboard
airbnb
Deploy errors using the IAM Group
Background
Deployments by AWS users in the IAM Group do not appear to be working.
Detailed below are the setup steps I went through while debugging this.
Am I missing something?
Steps to Reproduce
I downloaded the IAM Group Terraform file from the [setup documentation] locally and replaced the account and prefix variable values then created the IAM Group with Terraform. I then created a new deploy user, added it to the group, and ran ./manage.py deploy.
The first deployment returned two "…not authorized to perform kms:TagResource" errors. I saw the comment about adding the generated KMS keys to the IAM Group Terraform file but it seemed a little strange to need to go back and modify that file after the fact with any hard-coded values so I added the kms:TagResource action to the relevant statement and updated the IAM Group's policy with Terraform. Deploying again returned a "MalformedPolicyDocumentException" error which appears to be a known issue with this Terraform provider? Running the deploy step again got past that error but then returned a "…not authorized to perform lambda:CreateEventSourceMapping" error at which point I ended up giving up and deploying with an admin account.
Desired Change
The least-privilege permissions Terraform file creates a working policy for deploy users.
OK, I think I found the culprit, in terraform/kms.tf
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
}
the root is simply assumed as a default, while in my case the user ARN is "arn:aws:iam::${var.aws_account_id}:user/foobar"
So I changed it to
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.aws_account_id}:${var.aws_account_name}"]
}
and defined aws_account_name in terraform/variables.tf and terraform/terraform.tfvars accordingly. Will push a PR soon with this and lots of other mods ;-) stay tuned!