dataall icon indicating copy to clipboard operation
dataall copied to clipboard
verified publisher icon data-dot-all

allow to register roles without any permission changes

Open voidwisp opened this issue 1 year ago • 2 comments

Currently when registering consumer roles we have to select whether data.all manages them or if user manages them via IaC. If we select that data.all manages it then it will automatically attach policies to it. If we select that user is managing it then they have to attach the policy or otherwise they wont be able to use the role to create share requests.

There's however a special case in our organization. We have powerful roles that get created on every account and are managed centrally. These are commonly used administrative type roles. Users tend to use them in data.all as well to get access cross account. Problems appear when we allow data.all to manage these roles because drift is immediately detected for these roles and and policies are immediately removed. These roles are sufficiently powerful and they don't actually need any permissions from data.all.

Therefore when registering a role I would like to specify: "This role does not need additional permissions or policies and is sufficiently powerful as is". Then data.all should not attach or create any policies for it and should not check when creating shares or doing health checks for these roles.

voidwisp avatar Jul 19 '24 12:07 voidwisp

To clarify my understanding on this request - for these specific roles you want it such that:

  • No ...-share-policy is created and associated with consumption role when onboarding

    • ++ No deletes of ...-share-policy on removal

  • No IAM policy updates on the role on share approve, verify, re-apply, revoke

    • But still updates to bucket policy and key policy where applicable?

So these roles have already the necessary cross account s3 and kms resource access in IAM?

noah-paige avatar Jul 26 '24 19:07 noah-paige

@noah-paige correct these roles already have everything in IAM they are efffectively Administrator roles... They don't need any additional permissions. We still would need to update bucket policy. What is important is that the user needs to consciously make that choice to select: I confirm this role is super powerful and I'm OK that data.all will not manage it for me.

voidwisp avatar Aug 16 '24 11:08 voidwisp