Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve allowed account handling #363

Merged
merged 5 commits into from Oct 11, 2021
Merged

Improve allowed account handling #363

merged 5 commits into from Oct 11, 2021

Conversation

liamdawson
Copy link
Contributor

Per #362, there's some opportunity for improvement around allowed account logic. This PR introduces two changes:

  1. Return a more contextual error message when Identity#account_aliases raises an IAM permissions error in Identity#running_in_account? — previously, users had to examine the stack trace to work out which part of the application logic triggered the error.

    Note that the previous error message (identifying the missing IAM permission) is no longer shown, but can be seen with --trace, as the MissingIamPermissionsError is recorded as the Error#cause of the AllowedAccountAliasesError.

  2. Avoid checking the current account's aliases against the allowed_accounts list if all values are 12-digit numbers (i.e. AWS account IDs) — considering the way AWS account aliases are used, it should not be possible to use a 12-digit number as an account alias

Some tests had to be updated when making this change, as they used AWS account IDs of an incorrect length.

@liamdawson
Wrap error from account alias permissions error
5729d7d 
Per envato#362, the returned error message doesn't explain why the IAM
permission was required. While the wrapped error doesn't mention the
specific permission, the original MissingIamPermissionsError can still
be seen in --trace output, as it is registered as the Error#cause
@liamdawson
Add ListAccountAliases failing test case
1ebb71d 
As highlighted in envato#362, if the current account ID doesn't match anything
in the allowed accounts list, and the current principal doesn't have
iam:ListAccountAliases privileges, Identity#running_in_account? will
fail due to an attempt to get account aliases. This adds an erroring
test case for that scenario, and the corresponding expected failure when
account aliases are actually in use.
@liamdawson
Skip list aliases if all allowed accounts are IDs
4dbc2f9 
When the current account ID doesn't match any of the provided
allowed_accounts, Identity would automatically fetch listed aliases. If
the principal didn't have permissions to retrieve those, this would
result in an error.

When all of the provided "allowed account" values are valid AWS account
IDs, it's currently impossible that an account alias would match, so we
can skip the call, avoiding the potential permissions issue.
orien
orien approved these changes Oct 4, 2021
View reviewed changes
Copy link
Member

@orien orien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

patrobinson
patrobinson approved these changes Oct 7, 2021
View reviewed changes
Copy link
Contributor

@patrobinson patrobinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor question

lib/stack_master/identity.rb

contains_account_alias?(accounts)
rescue MissingIamPermissionsError
raise AllowedAccountAliasesError, 'Failed to validate whether the current AWS account is allowed'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mask the access denied error message?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I noted that you can work around that if you're investigating the issue:

Note that the previous error message (identifying the missing IAM permission) is no longer shown, but can be seen with --trace, as the MissingIamPermissionsError is recorded as the Error#cause of the AllowedAccountAliasesError.

@liamdawson
Copy link
Contributor Author

I'll update the changelog. Should I also bump the version number? Will we cut a release for this change, or will we wait?

@patrobinson
Copy link
Contributor

@liamdawson changes are pretty infrequent so I think we'd be better bumping this with a minor version change.

@liamdawson liamdawson merged commit bcdf132 into envato:master Oct 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orien orien orien approved these changes

@patrobinson patrobinson patrobinson approved these changes

@petervandoros petervandoros petervandoros approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@liamdawson @patrobinson @orien @petervandoros