From d939da7bdea02df81078e87d478a24b457998d70 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Fri, 5 Jun 2020 23:36:44 -0400 Subject: [PATCH 1/5] We are now validating for MIs, added some comments too. Also changed the parameter name as it is more correct now. --- config.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/config.go b/config.go index 9eede147..7f84c929 100644 --- a/config.go +++ b/config.go @@ -174,9 +174,15 @@ func getPluginVersion() string { return "unknown" } -func isValidIAM(cident *string) bool { - - if strings.Contains(*cident, "assumed-role/Admin/") || strings.Contains(*cident, "assumed-role/IAMAdmin/") { +func isValidIAM(arn *string) bool { + + /* + Validates ARN for assumed-role of: + - Admin + - IAMAdmin + -Machine Identities. + */ + if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || (strings.Contains(*arn, "arn:aws:sts::") && strings.Contains(*arn, "assumed-role/")) { return true } From 34890282e3ebffe06dca6f547c1f279955bcac1c Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Mon, 8 Jun 2020 08:37:51 -0400 Subject: [PATCH 2/5] Little less strict. --- config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.go b/config.go index 7f84c929..781740ab 100644 --- a/config.go +++ b/config.go @@ -182,7 +182,7 @@ func isValidIAM(arn *string) bool { - IAMAdmin -Machine Identities. */ - if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || (strings.Contains(*arn, "arn:aws:sts::") && strings.Contains(*arn, "assumed-role/")) { + if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || strings.Contains(*arn, "arn:aws:sts::") { return true } From 03d908fdea45c697efa41ad5eace431a1927d248 Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Mon, 8 Jun 2020 09:58:39 -0400 Subject: [PATCH 3/5] Call endpoint to validate MI from interactive user (ALKS user). --- config.go | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/config.go b/config.go index 781740ab..dfc8ca44 100644 --- a/config.go +++ b/config.go @@ -146,15 +146,15 @@ providing credentials for the ALKS Provider`) return nil, serr } + // got good creds, create alks sts client + client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken) + // check if the user is using a assume-role IAM admin session - if isValidIAM(cident.Arn) != true { + if isValidIAM(cident.Arn, client) != true { return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " + "Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.") } - // got good creds, create alks sts client - client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken) - if err != nil { return nil, err } @@ -174,15 +174,22 @@ func getPluginVersion() string { return "unknown" } -func isValidIAM(arn *string) bool { +func isValidIAM(arn *string, client *alks.Client) bool { /* Validates ARN for assumed-role of: - Admin - IAMAdmin - -Machine Identities. + - Machine Identities. */ - if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") || strings.Contains(*arn, "arn:aws:sts::") { + if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") { + return true + } else if strings.Contains(*arn, "arn:aws:sts::") { + // Check if MI... + _, err := client.SearchRoleMachineIdentity(*arn) + if err != nil { + return false + } return true } From 5587d3ec38d419bdfc6e49c04c954f95e70964cc Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Tue, 9 Jun 2020 09:34:43 -0400 Subject: [PATCH 4/5] Removed redundant ARN check. This SHOULD be good now. --- config.go | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/config.go b/config.go index dfc8ca44..71ee4baa 100644 --- a/config.go +++ b/config.go @@ -149,7 +149,7 @@ providing credentials for the ALKS Provider`) // got good creds, create alks sts client client, err := alks.NewSTSClient(c.URL, cp.AccessKeyID, cp.SecretAccessKey, cp.SessionToken) - // check if the user is using a assume-role IAM admin session + // check if the user is using a assume-role IAM admin session or MI. if isValidIAM(cident.Arn, client) != true { return nil, errors.New("Looks like you are not using ALKS IAM credentials. This will result in errors when creating roles. \n " + "Note: If using ALKS CLI to get credentials, be sure to use the '-i' flag. \n Please see https://coxautoinc.sharepoint.com/sites/service-internal-tools-team/SitePages/ALKS-Terraform-Provider---Troubleshooting.aspx for more information.") @@ -174,24 +174,22 @@ func getPluginVersion() string { return "unknown" } +/* + Validates ARN for assumed-role of: + - Admin + - IAMAdmin + - Machine Identities. +*/ func isValidIAM(arn *string, client *alks.Client) bool { - - /* - Validates ARN for assumed-role of: - - Admin - - IAMAdmin - - Machine Identities. - */ + // Check if Admin || IAMAdmin if strings.Contains(*arn, "assumed-role/Admin/") || strings.Contains(*arn, "assumed-role/IAMAdmin/") { return true - } else if strings.Contains(*arn, "arn:aws:sts::") { - // Check if MI... - _, err := client.SearchRoleMachineIdentity(*arn) - if err != nil { - return false - } - return true } - return false + // Check if MI... + _, err := client.SearchRoleMachineIdentity(*arn) + if err != nil { + return false + } + return true } From 5e76f2fc919fd04936e40ca78007cfeb3263160b Mon Sep 17 00:00:00 2001 From: Andrew Magana Date: Tue, 9 Jun 2020 11:42:43 -0400 Subject: [PATCH 5/5] Formatting the MI arn so we can appropriately check the ARN against our API. --- config.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/config.go b/config.go index 71ee4baa..1b313a95 100644 --- a/config.go +++ b/config.go @@ -14,7 +14,7 @@ import ( "github.com/aws/aws-sdk-go/aws/defaults" "github.com/aws/aws-sdk-go/aws/ec2metadata" - alks "github.com/Cox-Automotive/alks-go" + "github.com/Cox-Automotive/alks-go" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" @@ -187,9 +187,16 @@ func isValidIAM(arn *string, client *alks.Client) bool { } // Check if MI... - _, err := client.SearchRoleMachineIdentity(*arn) + arnParts := strings.FieldsFunc(*arn, splitBy) + iamArn := fmt.Sprintf("arn:aws:iam::%s:role/acct-managed/%s", arnParts[3], arnParts[5]) + + _, err := client.SearchRoleMachineIdentity(iamArn) if err != nil { return false } return true } + +func splitBy(r rune) bool { + return r == ':' || r == '/' +}