Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elasticloadbalancing:DescribeTags not added #36

Open
rileytg opened this issue Sep 10, 2021 · 7 comments
Open

elasticloadbalancing:DescribeTags not added #36

rileytg opened this issue Sep 10, 2021 · 7 comments

Comments

@rileytg
Copy link

rileytg commented Sep 10, 2021

When I run terraform apply as an admin, it works with 0 changes. When I apply the generated policy to a new user, I get ... is not authorized to perform: elasticloadbalancing:DescribeTags

Adding this fixes my issue:

~ Action   = [
                            # (14 unchanged elements hidden)
                            "elasticloadbalancing:DescribeListeners",
                          + "elasticloadbalancing:DescribeTags",
                        ]

I saw some chatter on an issue that this can be updated in iamlivecore/map.json, but didn't follow enough to submit a pull. Happy to do so with some guidance.
@rileytg
Copy link
Author

rileytg commented Sep 10, 2021

upon further review of my generated policy, some DescribeTags did get added with the specific ARN, but don't work.

        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeTags"
            ],
            "Resource": "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:123123:listener/app/epayit-test-alb/asdfasdfaf/asdfasdf"
        }

perhaps the ARN was wrong? (too bust atm to got back and test. will do it if i can later)

@rileytg
Copy link
Author

rileytg commented Sep 10, 2021

(redacted values in my arn fyi)

@iann0036
Copy link
Owner

iann0036 commented Sep 10, 2021
edited

Hey @rileytg,

Thanks for raising!

Looking over your ARN, it looks like there is one too many components at the end. Does removing the last part and its slash resolve your issue? i.e.

            "Resource": "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:123123:listener/app/epayit-test-alb/asdfasdfaf"

Regarding edits to the data source, the map is sourced from https://github.com/iann0036/iam-dataset/blob/main/map.json periodically, so edits are welcomed over there.

@rileytg
Copy link
Author

rileytg commented Sep 10, 2021

ya that was the resolution. i did a bunch of manual cleanups regarding this.

would i read the go code to figure out the format for map.json? or is it some kinda standard?

@rileytg
Copy link
Author

rileytg commented Sep 10, 2021
edited

i opened this ticket thinking that the generated ARNs are incorrect (aka bug), am i misunderstanding?

@iann0036
Copy link
Owner

Hey @rileytg,

I realise my initial response was incorrect and that the original value you had should have worked. Per the SAR, the correct format is:

arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener/app/${LoadBalancerName}/${LoadBalancerId}/${ListenerId}

Could you reconfirm your fix?

@rileytg
Copy link
Author

rileytg commented Sep 12, 2021

my fix was lazy 😞

i did:

arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener/*

i’ll need to tighten this down over the coming weeks and i’ll update here if my work is useful to others/this project.

thanks for all your work here, this has been an incredible help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rileytg @iann0036