From 66de24bc86d62f7072868cd966790dcabb863345 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Thu, 14 Dec 2023 22:54:16 -0800 Subject: [PATCH 1/2] fix compiling error --- Makefile | 1 + test/suites/integration/iamauthpolicy_test.go | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 5a1f6a89..e763ba3b 100644 --- a/Makefile +++ b/Makefile @@ -66,6 +66,7 @@ vet: ## Vet the code and dependencies if [ "${CI}" = true ]; then\ exit 1;\ fi;} + cd test && go vet ./... .PHONY: lint diff --git a/test/suites/integration/iamauthpolicy_test.go b/test/suites/integration/iamauthpolicy_test.go index b2dc8948..d2fa5c09 100644 --- a/test/suites/integration/iamauthpolicy_test.go +++ b/test/suites/integration/iamauthpolicy_test.go @@ -4,12 +4,13 @@ import ( "context" "time" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/vpclattice" + anv1alpha1 "github.com/aws/aws-application-networking-k8s/pkg/apis/applicationnetworking/v1alpha1" "github.com/aws/aws-application-networking-k8s/pkg/controllers" model "github.com/aws/aws-application-networking-k8s/pkg/model/lattice" "github.com/aws/aws-application-networking-k8s/test/pkg/test" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/vpclattice" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -19,10 +20,11 @@ import ( gwv1 "sigs.k8s.io/gateway-api/apis/v1" gwv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" - "github.com/aws/aws-application-networking-k8s/pkg/model/core" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" gwv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1" + + "github.com/aws/aws-application-networking-k8s/pkg/model/core" ) var _ = Describe("IAM Auth Policy", Ordered, func() { @@ -153,7 +155,7 @@ var _ = Describe("IAM Auth Policy", Ordered, func() { It("accepted, applied, and removed from Gateway", func() { policy := newPolicy("gw", "Gateway", "test-gateway") - sn, _ := lattice.FindServiceNetwork(context.TODO(), "test-gateway", "") + sn, _ := lattice.FindServiceNetwork(context.TODO(), "test-gateway") snId := *sn.SvcNetwork.Id // accepted From 55ec938a3fb5a400e40692593f9167fd1ef4758a Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Fri, 15 Dec 2023 11:01:00 -0800 Subject: [PATCH 2/2] Add more permissions in the recommended-inline-policy.json --- config/iam/recommended-inline-policy.json | 29 +++++++++++++++++++++-- docs/guides/deploy.md | 8 ++++++- examples/recommended-inline-policy.json | 8 ++++++- 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/config/iam/recommended-inline-policy.json b/config/iam/recommended-inline-policy.json index 18c321df..6741747e 100644 --- a/config/iam/recommended-inline-policy.json +++ b/config/iam/recommended-inline-policy.json @@ -5,19 +5,44 @@ "Effect": "Allow", "Action": [ "vpc-lattice:*", - "iam:CreateServiceLinkedRole", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeSecurityGroups", "logs:CreateLogDelivery", "logs:GetLogDelivery", + "logs:DescribeLogGroups", + "logs:PutResourcePolicy", + "logs:DescribeResourcePolicies", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", - "tag:GetResources" + "tag:GetResources", + "firehose:TagDeliveryStream", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy" ], "Resource": "*" + }, + { + "Effect" : "Allow", + "Action" : "iam:CreateServiceLinkedRole", + "Resource" : "arn:aws:iam::*:role/aws-service-role/vpc-lattice.amazonaws.com/AWSServiceRoleForVpcLattice", + "Condition" : { + "StringLike" : { + "iam:AWSServiceName" : "vpc-lattice.amazonaws.com" + } + } + }, + { + "Effect" : "Allow", + "Action" : "iam:CreateServiceLinkedRole", + "Resource" : "arn:aws:iam::*:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery", + "Condition" : { + "StringLike" : { + "iam:AWSServiceName" : "delivery.logs.amazonaws.com" + } + } } ] } diff --git a/docs/guides/deploy.md b/docs/guides/deploy.md index 426ae310..eb7aef9b 100644 --- a/docs/guides/deploy.md +++ b/docs/guides/deploy.md @@ -49,10 +49,16 @@ EKS is a simple, recommended way of preparing a cluster for running services wit "ec2:DescribeSecurityGroups", "logs:CreateLogDelivery", "logs:GetLogDelivery", + "logs:DescribeLogGroups", + "logs:PutResourcePolicy", + "logs:DescribeResourcePolicies", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", - "tag:GetResources" + "tag:GetResources", + "firehose:TagDeliveryStream", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy" ], "Resource": "*" }, diff --git a/examples/recommended-inline-policy.json b/examples/recommended-inline-policy.json index e97f6d23..6741747e 100644 --- a/examples/recommended-inline-policy.json +++ b/examples/recommended-inline-policy.json @@ -11,10 +11,16 @@ "ec2:DescribeSecurityGroups", "logs:CreateLogDelivery", "logs:GetLogDelivery", + "logs:DescribeLogGroups", + "logs:PutResourcePolicy", + "logs:DescribeResourcePolicies", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", - "tag:GetResources" + "tag:GetResources", + "firehose:TagDeliveryStream", + "s3:GetBucketPolicy", + "s3:PutBucketPolicy" ], "Resource": "*" },