Re: Creating a role in another tenant seems to be possible

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jun 4, 2021 at 5:06 PM Daniel Iwan <iwan.daniel@xxxxxxxxx> wrote:

> Hi
>
> It seems that with command like this
>
> aws --profile=my-user-tenant1 --endpoint=$HOST_S3_API --region="" iam
> create-role --role-name="tenant2\$TemporaryRole"
> --assume-role-policy-document file://json/trust-policy-assume-role.json
>
> I can create a role in another tenant.
> Executing user have roles:* capability which I think is necessary to be
> able to create roles, but at the same time it seems to be a global ability,
> for all tenants.
>
>
How did you check whether the role was created in tenant1 or tenant2?
It shouldn't be created in tenant2, if it is, then it's a bug, please open
a tracker issue for it.

Similarly, a federated user who assumes a role with iam:CreateRole
> permission
> can create an arbitrary role like below.
>
> aws --endpoint=$HOST_S3_API --region="" iam create-role
> --role-name="tenant2\$TemporaryRole" --assume-role-policy-document
> file://json/trust-policy-assume-role.json
>
> Example permission policy
> {
> "Statement":[
> {"Effect":"Allow","Action":["iam:GetRole"]},
> {"Effect":"Allow","Action":["iam:CreateRole"]}
> ]
> }
>
> What entity is this permission policy attached to? The user making the
CreateRole call?

Capability roles:* is not needed in this case, which I think is correct,
> because only permission policy of the assumed role is checked.
>
> Getting information about a role from other tenants is possible with
> iam:GetRole.
> This is less controversial but I would still expect it to be scoped to the
> user's tenant unless explicit tenant name is stated in the policy like this
>
>
> {"Effect":"Allow","Action":["iam:GetRole"],"Resource":"arn:aws:iam::tenant2:*"}
>
> Possibly I'm missing something.
> Why is crossing tenants possible?
>
> Regards
> Daniel
>

Thanks,
Pritha

> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux