iamlive icon indicating copy to clipboard operation
iamlive copied to clipboard

Published 20 hours ago verified publisher icon iann0036

OIDC “iamlive CA” certificate is not trusted

Open satellite-no opened this issue 2 years ago • 4 comments

Hi, I'm trying to use IAM live to validate permissions in terraform that builds AWS EKS environment and sets up OIDC. It was working great until it got to the OIDC stuff and then failed with the below error.

Error:

 Error: Failed to identify fetch peer certificates
 
   with data.tls_certificate.shared-services_tls,
   on eks.tf line 22, in data "tls_certificate" "shared-services_tls":
   22: data "tls_certificate" "shared-services_tls" {
 
 failed to fetch certificates from URL 'https': Get
 "https://oidc.eks.us-east-1.amazonaws.com:443/id/3DDFA9B63C55CAF000453A371F8C30CB": x509: “iamlive CA” certificate is not
 trusted

Before failing it output this policy perfect 👍

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","s3:ListBucket","sts:GetCallerIdentity","iam:CreatePolicy","iam:CreateRole","ec2:CreateManagedPrefixList","ec2:CreateSecurityGroup","ec2:CreateSubnet","ec2:CreateTags","iam:GetPolicy","iam:AttachRolePolicy","iam:GetPolicyVersion","iam:GetRole","ec2:DescribeManagedPrefixLists","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","iam:ListRolePolicies","iam:ListAttachedRolePolicies","iam:CreateInstanceProfile","ec2:ModifySubnetAttribute","iam:GetInstanceProfile","ec2:GetManagedPrefixListEntries","iam:AddRoleToInstanceProfile","iam:PassRole","ec2:RevokeSecurityGroupEgress","ec2:AuthorizeSecurityGroupIngress","ec2:AuthorizeSecurityGroupEgress","eks:CreateCluster","eks:DescribeCluster","eks:CreateAddon","eks:CreateNodegroup","eks:DescribeAddon","eks:DescribeNodegroup"],"Resource":"*"}]}

satellite-no avatar Feb 22 '23 22:02 satellite-no

Hey @satellite-no,

Thanks for raising!

Looks like you've found an interesting edge case. iamlive generally looks for any network traffic in the form *.amazonaws.com and attempts to interpret it as a Sigv4-signed API call. The data provider for this specific EKS endpoint matches that route but isn't a typical AWS API endpoint.

I've added a change in v0.51.1 to omit parsing this host format, but I also suspect that you'll have the same issue due to the global nature of the HTTP_PROXY environment variable. If the new release doesn't work for you, try adding export NO_PROXY=oidc.eks.us-east-1.amazonaws.com to your environment immediately before running Terraform.

Let me know how you go.

iann0036 avatar Feb 23 '23 04:02 iann0036

Thanks for the quick follow up @iann0036.

Your correct in your assumption, it still failed until I added the export NO_PROXY=oidc.eks.us-east-1.amazonaws.com. Fun turn of events when I did that though, it removed almost all EKS related permission from the policy. That endpoint must be used for almost all EKS items but only the OIDC part throughs an issue?

Outputted Policy

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","sts:GetCallerIdentity","iam:CreateRole","iam:CreatePolicy","iam:GetPolicy","iam:AttachRolePolicy","iam:GetPolicyVersion","iam:GetRole","iam:ListRolePolicies","iam:ListAttachedRolePolicies","iam:CreateInstanceProfile","iam:GetInstanceProfile","iam:AddRoleToInstanceProfile","iam:PassRole","iam:CreateOpenIDConnectProvider","iam:GetOpenIDConnectProvider"],"Resource":"*"}]}

satellite-no avatar Feb 23 '23 21:02 satellite-no

Huh, how irritating.

Could it perhaps be that the new version is excluding somethingelsethatsanawsapi.eks.us-east-1.amazonaws.com? Because the change has no practical use, I'll revert it as v0.51.2. Maybe double check if that has the same effect.

iann0036 avatar Feb 24 '23 00:02 iann0036

Ahh good call!

I went to v0.51.2 and used the no_proxy and I started to see the eks IAM permissions again. It also completed without error. So the key for this is the export NO_PROXY=oidc.eks.us-east-1.amazonaws.com.

Updated Policy:

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["sts:GetCallerIdentity","iam:CreateRole","iam:CreatePolicy","ec2:CreateManagedPrefixList","ec2:CreateSubnet","ec2:CreateTags","ec2:CreateSecurityGroup","iam:GetPolicy","iam:AttachRolePolicy","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","iam:GetPolicyVersion","iam:GetRole","ec2:DescribeManagedPrefixLists","iam:ListRolePolicies","iam:ListAttachedRolePolicies","ec2:ModifySubnetAttribute","iam:CreateInstanceProfile","iam:GetInstanceProfile","ec2:GetManagedPrefixListEntries","iam:AddRoleToInstanceProfile","iam:PassRole","ec2:RevokeSecurityGroupEgress","ec2:AuthorizeSecurityGroupIngress","ec2:AuthorizeSecurityGroupEgress","eks:CreateCluster","eks:DescribeCluster","eks:CreateAddon","eks:CreateNodegroup","iam:CreateOpenIDConnectProvider","eks:DescribeAddon","iam:GetOpenIDConnectProvider","eks:DescribeNodegroup"],"Resource":"*"}]}

satellite-no avatar Feb 24 '23 15:02 satellite-no