Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC “iamlive CA” certificate is not trusted #62

Open
satellite-no opened this issue Feb 22, 2023 · 4 comments
Open

OIDC “iamlive CA” certificate is not trusted #62

satellite-no opened this issue Feb 22, 2023 · 4 comments

Comments

@satellite-no
Copy link

Hi, I'm trying to use IAM live to validate permissions in terraform that builds AWS EKS environment and sets up OIDC. It was working great until it got to the OIDC stuff and then failed with the below error.

Error:

 Error: Failed to identify fetch peer certificates
 
   with data.tls_certificate.shared-services_tls,
   on eks.tf line 22, in data "tls_certificate" "shared-services_tls":
   22: data "tls_certificate" "shared-services_tls" {
 
 failed to fetch certificates from URL 'https': Get
 "https://oidc.eks.us-east-1.amazonaws.com:443/id/3DDFA9B63C55CAF000453A371F8C30CB": x509: “iamlive CA” certificate is not
 trusted

Before failing it output this policy perfect 👍

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","s3:ListBucket","sts:GetCallerIdentity","iam:CreatePolicy","iam:CreateRole","ec2:CreateManagedPrefixList","ec2:CreateSecurityGroup","ec2:CreateSubnet","ec2:CreateTags","iam:GetPolicy","iam:AttachRolePolicy","iam:GetPolicyVersion","iam:GetRole","ec2:DescribeManagedPrefixLists","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","iam:ListRolePolicies","iam:ListAttachedRolePolicies","iam:CreateInstanceProfile","ec2:ModifySubnetAttribute","iam:GetInstanceProfile","ec2:GetManagedPrefixListEntries","iam:AddRoleToInstanceProfile","iam:PassRole","ec2:RevokeSecurityGroupEgress","ec2:AuthorizeSecurityGroupIngress","ec2:AuthorizeSecurityGroupEgress","eks:CreateCluster","eks:DescribeCluster","eks:CreateAddon","eks:CreateNodegroup","eks:DescribeAddon","eks:DescribeNodegroup"],"Resource":"*"}]}
iann0036 added a commit that referenced this issue Feb 23, 2023
@iann0036
Fix regex for AWS sub-subdomains #62
56a5487
@iann0036
Copy link
Owner

Hey @satellite-no,

Thanks for raising!

Looks like you've found an interesting edge case. iamlive generally looks for any network traffic in the form *.amazonaws.com and attempts to interpret it as a Sigv4-signed API call. The data provider for this specific EKS endpoint matches that route but isn't a typical AWS API endpoint.

I've added a change in v0.51.1 to omit parsing this host format, but I also suspect that you'll have the same issue due to the global nature of the HTTP_PROXY environment variable. If the new release doesn't work for you, try adding export NO_PROXY=oidc.eks.us-east-1.amazonaws.com to your environment immediately before running Terraform.

Let me know how you go.

@satellite-no
Copy link
Author

satellite-no commented Feb 23, 2023
edited

Thanks for the quick follow up @iann0036.

Your correct in your assumption, it still failed until I added the export NO_PROXY=oidc.eks.us-east-1.amazonaws.com. Fun turn of events when I did that though, it removed almost all EKS related permission from the policy. That endpoint must be used for almost all EKS items but only the OIDC part throughs an issue?

Outputted Policy

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:ListAllMyBuckets","sts:GetCallerIdentity","iam:CreateRole","iam:CreatePolicy","iam:GetPolicy","iam:AttachRolePolicy","iam:GetPolicyVersion","iam:GetRole","iam:ListRolePolicies","iam:ListAttachedRolePolicies","iam:CreateInstanceProfile","iam:GetInstanceProfile","iam:AddRoleToInstanceProfile","iam:PassRole","iam:CreateOpenIDConnectProvider","iam:GetOpenIDConnectProvider"],"Resource":"*"}]}

iann0036 added a commit that referenced this issue Feb 24, 2023
@iann0036
Revert subdomain change #62
bc2b263
@iann0036
Copy link
Owner

Huh, how irritating.

Could it perhaps be that the new version is excluding somethingelsethatsanawsapi.eks.us-east-1.amazonaws.com? Because the change has no practical use, I'll revert it as v0.51.2. Maybe double check if that has the same effect.

@satellite-no
Copy link
Author

Ahh good call!

I went to v0.51.2 and used the no_proxy and I started to see the eks IAM permissions again. It also completed without error. So the key for this is the export NO_PROXY=oidc.eks.us-east-1.amazonaws.com.

Updated Policy:

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["sts:GetCallerIdentity","iam:CreateRole","iam:CreatePolicy","ec2:CreateManagedPrefixList","ec2:CreateSubnet","ec2:CreateTags","ec2:CreateSecurityGroup","iam:GetPolicy","iam:AttachRolePolicy","ec2:DescribeSecurityGroups","ec2:DescribeSubnets","iam:GetPolicyVersion","iam:GetRole","ec2:DescribeManagedPrefixLists","iam:ListRolePolicies","iam:ListAttachedRolePolicies","ec2:ModifySubnetAttribute","iam:CreateInstanceProfile","iam:GetInstanceProfile","ec2:GetManagedPrefixListEntries","iam:AddRoleToInstanceProfile","iam:PassRole","ec2:RevokeSecurityGroupEgress","ec2:AuthorizeSecurityGroupIngress","ec2:AuthorizeSecurityGroupEgress","eks:CreateCluster","eks:DescribeCluster","eks:CreateAddon","eks:CreateNodegroup","iam:CreateOpenIDConnectProvider","eks:DescribeAddon","iam:GetOpenIDConnectProvider","eks:DescribeNodegroup"],"Resource":"*"}]}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iann0036 @satellite-no