community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

ack eks controller: PassRole With Star In Resource

Open speedfl opened this issue 2 years ago • 5 comments

What is the URL of the document?

https://github.com/aws-controllers-k8s/eks-controller/blob/main/config/iam/recommended-inline-policy

Which section(s) is the issue in?

iam:PassRole

What needs fixing?

PassRole With Star In Resource: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement

We should use least privilidge. Could you please recommend the correct service to which it can pass role ?

Additional context

speedfl avatar Sep 08 '23 13:09 speedfl

@speedfl would you be interested in contributing to the eks controller repository? happy to help if needed

a-hilaly avatar Sep 08 '23 17:09 a-hilaly

Hey @a-hilaly thanks a lot for the proposal but unfortunately I don't think I'll have time. I am already contributing actively to Argo project.

speedfl avatar Sep 09 '23 21:09 speedfl

I'm not sure if we can give any more granular details because our inline policy is generic advice about what your IAM policy will require. We don't know the exact role ARNs that will be attached to API requests. I think it would be odd if we prescribed a subset of ARNs (not using a wildcard) generically?

RedbackThomson avatar Sep 13 '23 17:09 RedbackThomson

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Mar 11 '24 19:03 ack-bot

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Sep 07 '24 22:09 ack-bot

Stale issues rot after 60d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 60d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten

ack-bot avatar Nov 06 '24 23:11 ack-bot

Rotten issues close after 60d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

ack-bot avatar Jan 06 '25 00:01 ack-bot

@ack-bot: Closing this issue.

In response to this:

Rotten issues close after 60d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ack-prow[bot] avatar Jan 06 '25 00:01 ack-prow[bot]