Loading...

XML

Word

Printable

Type: Task
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: Provisioning
Labels:
None

Sprint:
Scrum Sprint 21, Scrum Sprint 22, Scrum Sprint 23, Scrum Sprint 24, Scrum Sprint 25, Scrum Sprint 26, EnVision Sprint 27, EnVision Sprint 28, EnVision Sprint 29, EnVision Sprint 30, EnVision Sprint 31, EnVision Sprint 32, EnVision Sprint 33, EnVision Sprint 34, EnVision Sprint 35, EnVision Sprint 36, EnVision Sprint 37, EnVision Sprint 38, EnVision Sprint 39, EnVision Sprint 40, EnVision Sprint 41, EnVision Sprint 42
Epic Link:
Improve AWS permissions experience

As part of ~~HMS-1107~~ we added the following permissions:

GetPolicyVersion
GetPolicy
ListAttachedRolePolicies
GetRolePolicy (for inline policy in case user added some roles inline)

This allows us to build an endpoint that will return for a given source id if all roles/permissions are set accordingly or not and list permissions which are missing.

Here is now to do this with AWS CLI: (example for our ITAWS account arn:aws:iam::399XXX895069:role/satellite-services-role). First, list attached policies:

```
$ aws --profile saml iam list-attached-role-policies --role-name satellite-services-role
{
"AttachedPolicies": [

{ "PolicyName": "satellite-runinstances-policy", "PolicyArn": "arn:aws:iam::399XXX895069:policy/satellite-runinstances-policy" }

]
}
```

Then you need to find the latest version:

```
$ aws --profile saml iam get-policy --policy-arn arn:aws:iam::399XXX895069:policy/satellite-runinstances-policy
{
"Policy": {
"PolicyName": "satellite-runinstances-policy",
"PolicyId": "ANPAV2FE6SKOVYS4GMJVN",
"Arn": "arn:aws:iam::399XXX895069:policy/satellite-runinstances-policy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Policy for role, that allows running instances from ConsoleDot",
"CreateDate": "2022-09-28T11:50:58Z",
"UpdateDate": "2022-09-28T11:50:58Z",
"Tags": [

{ "Key": "service", "Value": "provisioning" }

{ "Key": "team", "Value": "envision" }

]
}
}
```

And finally to fetch the JSON content:

```
$ aws --profile saml iam get-policy-version --policy-arn arn:aws:iam::399XXX895069:policy/satellite-runinstances-policy --version-id v1
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [

{ "Sid": "RedHatProvisioning", "Effect": "Allow", "Action": [ "ec2:CreateKeyPair", "ec2:CreateTags", "ec2:DeleteKeyPair", "ec2:DeleteTags", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshotAttribute", "ec2:DescribeTags", "ec2:ImportKeyPair", "ec2:RunInstances", "ec2:StartInstances" ], "Resource": "*" }

]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2022-09-28T11:50:58Z"
}
}
```

If user would not follow up our documentation and created "inline policy" an additional call GetRolePolicy returns the same data. This should be called only if the previous call does not return all expected values.

The endpoint should list the permissions and compare them to a list that is embedded in the backend so we can add more and more required policies.

Assignee:: Anna Vitova

Reporter:: Lukáš Zapletal

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2023/01/25 10:27 AM

Updated:: 2024/05/22 9:18 PM

Resolved:: 2023/03/28 9:04 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates