-
Notifications
You must be signed in to change notification settings - Fork 276
IAM Scanner required roles #3794
Comments
Thank you for opening an issue. Our team's interrupts engineer will review your issue shortly. Issue Resolution:
|
Hi @janmasarik, thanks for letting us know about the Slack issue. I have not seen that error in regards to the email address, will look into it. You can also provide the issue details in this ticket and we can work on it. |
Hey @gkowalski-google, thanks a lot for super quick ack! All right then, I'll copy-paste it here. :-) I'm currently trying to find out how to write a policy to check if the given account contains only specified roles. Neither blacklist nor whitelist seems to be working for this use case, as the whitelist is essentially useless here, and in case of the blacklist, I would have to enumerate literally every role except the allowed ones. I would appreciate any hint or confirmation that the blacklist approach is the only possible one. Attaching the snippet below.
|
@janmasarik The Forseti IAM scanner actually has a FYI this functionality is also available in Config Validator. Here is a sample policy that achieves the same thing. Forseti docs for how to migrate IAM policy to Config Validator. Let me know if you need anything else. |
@janmasarik Any luck? Let me know if you still need help. FYI the Slack link has been fixed on the website. |
Hey @gkowalski-google, Pardon my ignorance, but based on what I understood, the I think With that said, thanks for recommending Config Validator, and thanks again for your response! It's awesome to see such response time on a big project like this!:) |
Hey @gkowalski-google 馃憢 , I was wondering if my assumptions are correct or not. 馃槄 As far as I understand, this would require ~560 files[1] with Config Validator as you cannot specify multiple parameters in a single rule. This might be fairly inconvenient + should be updated when Google adds new roles: apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: restrict_editor_on_default_sa
annotations:
description: Default service accounts should not have editor privileges
spec:
severity: high
match:
target:
- "organizations/**"
parameters:
mode: denylist
role: roles/editor
members:
- serviceAccount:*[email protected]
- serviceAccount:*@appspot.gserviceaccount.com [1] current number of roles after listing |
Hi @janmasarik, sorry for not looking more into this initially. Your assumptions are correct. I'm sorry that ability is not available in the Forseti IAM scanner and is currently blocked in Config Validator as well. In order to ensure that a service account matches a set list of roles, Config Validator would require referential constraints so that it would know if all IAM bindings are given to a service account and check for no additional roles. Config Validator currently works by scanning each asset/resource and see if it violations any of the constraints. In this way, it would not be able to check if a service account is assigned to roles other than the ones you explicitly allow. |
Understand, thank you @gkowalski-google! Currently, the best workaround is probably to blacklist roles that we really care about, right? (such as Editor, Owner or Storage Admin) |
Hey guys 馃憢 ,
Thanks for your amazing work! :-)
I tried to reach out the community with a question regarding IAM rule creation, but the slack link is expired, and I've received the following mail[1] from [email protected].
Is there any other way how to ask it? :-)
Thanks in advance!
[1]
The text was updated successfully, but these errors were encountered: