iam:User default tags require iam:UpdateUser on all users

[bbung]

What happened?

With version 0.28.1 the provider needs access to iam:UpdateUser on all users to update tags. In 0.27.1 this could be limited to users with prefixes.

Role with 0.27.1 { "Action": [ … "iam:UpdateUser" ], "Effect": "Allow", "Resource": "arn:aws:iam::<AccountID>:user/prefix-*” }, Needed role with 0.28.1,0.29.0 { "Action": [ … "iam:UpdateUser" ], "Effect": "Allow", "Resource": "arn:aws:iam::<AccountID>:user/” },

We do not want to give crossplane access to update all iam users just to update tags.

How can we reproduce it?

• Create an iam User via crossplane
• Remove iam:UpdateUser on crossplane provider role or limit to user with prefix

{ "Action": [ "iam:UpdateUser" ], "Effect": "Allow", "Resource": "arn:aws:iam::<AccountId>:user/prefix-*” }

• Remove default tags via aws console from the iam user
• See logs for debug messages

What environment did it happen in?

Crossplane version: 1.8.1 AWS EKS 1.21

[chlunde]

Do you have the failing log entry from cloud trail here? Are you talking about iam:TagUser / iam:UntagUser?

[github-actions[bot]]

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.