diff --git a/pkg/mapper/dynamicfile/mapper.go b/pkg/mapper/dynamicfile/mapper.go index d11cda4fc..9faebd272 100644 --- a/pkg/mapper/dynamicfile/mapper.go +++ b/pkg/mapper/dynamicfile/mapper.go @@ -3,6 +3,7 @@ package dynamicfile import ( "strings" + "github.com/sirupsen/logrus" "sigs.k8s.io/aws-iam-authenticator/pkg/arn" "sigs.k8s.io/aws-iam-authenticator/pkg/config" "sigs.k8s.io/aws-iam-authenticator/pkg/errutil" @@ -46,35 +47,28 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi } if roleMapping, err := m.RoleMapping(key); err == nil { - if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil { - return nil, err - } return roleMapping.IdentityMapping(identity), nil } if userMapping, err := m.UserMapping(key); err == nil { - if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil { - return nil, err + if !m.userIDStrict { + return userMapping.IdentityMapping(identity), nil + } + // compare arn additionally for IAM user if principalId is used in mapping + strippedArn, stripErr := arn.StripPath(userMapping.UserARN) + if stripErr != nil { + return nil, stripErr + } + if canonicalARN != strings.ToLower(strippedArn) { + logrus.Info("arn not matched though principalId match. arn from STS response is %s, arn in mapper is %s", + canonicalARN, strings.ToLower(strippedArn)) + return nil, errutil.ErrIDAndARNMismatch } return userMapping.IdentityMapping(identity), nil } - return nil, errutil.ErrNotMapped } -func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID string) error { - if m.userIDStrict { - // If ARN is provided, ARN must be validated along with UserID. This avoids having to - // support IAM user name/ARN changes. Without preventing this the mapping would look - // invalid but still work and auditing would be difficult/impossible. - strippedArn, _ := arn.StripPath(mappedARN) - if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) { - return errutil.ErrIDAndARNMismatch - } - } - return nil -} - func (m *DynamicFileMapper) IsAccountAllowed(accountID string) bool { return m.AWSAccount(accountID) }