App Mesh Envoy Authorization Policies #80
App Mesh will soon be releasing support for enabling TLS on Virtual Nodes in a Mesh (#39). As part of this change, we’re adding an additional authorization capability in App Mesh’s Envoy Management Service that will allow you to scope down the permissions for the IAM policy associated with your Envoy Proxy.
Starting today, you can add a new statement to your IAM policy giving Envoy Proxy explicit access to retrieve configuration from Envoy Management Service.
Am I required to make this change?
You will be initially required to add this policy statement to use TLS on a Virtual Node with a certificate provided by AWS Certificate Manager.
On November 5th, 2019, App Mesh will require this change for all configuration provided by Envoy Management Service. The reason for this is to provide a more secure and consistent experience for all customers using IAM for authorization to specific resources.
We recommend you add this policy statement as soon as possible, even if you do not plan on using TLS for your Virtual Nodes.
How can I opt-in to this change?
If you would like to opt-in to this change, you can adjust your IAM policy for the IAM User or Role you use to connect Envoy Proxy to App Mesh’s Envoy Management Service.
For example, if you’re using ECS with App Mesh, your current task role for the ECS task running the Envoy Proxy might look like:
To update this policy to support fetching certificate materials from App Mesh, you have two options detailed below.
Option 1: Add an Explicit Policy Statement (Recommended)
You can add an explicit statement to your IAM policy for the
The following example shows a policy scoped down to only allow retrieval of configuration for a Virtual Node named
Option 2: Add the App Mesh Read-Only Managed Policy
The second option is to add the managed Envoy policy for AWS App Mesh, which automatically includes authorization for the
How do I know I’ve fixed this?
You can verify you have added the proper policy changes by reviewing the instance or execution role for your compute that is running Envoy.
From the EC2 console:
ECS with EC2 or Fargate
From the ECS console:
From the EKS console:
Once you’ve verified the appropriate role has been updated, you will be able to connect your Envoy to App Mesh.
How do I know if my Envoy is failing the authorization check?
You can determine if your Envoy is failing the authorization check by viewing the Envoy’s logs in CloudWatch. In the CloudWatch log stream, search for
The text was updated successfully, but these errors were encountered:
Just wondering has the requirement of "appmesh:StreamAggregatedResources" been enforced yet?
I launched an ECS task without "appmesh:StreamAggregatedResources" IAM permissions on task role (and task execution role), but the task was still able to function as normal (e.g. It was still able to reach out to backend virtual services based on virtual route configured). I don't see "gRPC config stream closed: 7" in envoy cloudwatch log either. A quick confirmation will be much appreciated.
Hey @starchx, sorry we haven’t updated this issue in a bit.
The short answer is: it’s still possible to connect without the StreamAggregatedResources and receive configuration, but only a minimum configuration will be provided.
We’re enforcing the IAM action for all new features since it was introduced, which includes: TLS functionality from ACM, and Virtual Gateways.
We’ll eventually close this loop, but don’t want to break customers, so it will take us a little while to narrow down all the usages and help with migration.