New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve allowed account handling #363
Improve allowed account handling #363
Conversation
Per envato#362, the returned error message doesn't explain why the IAM permission was required. While the wrapped error doesn't mention the specific permission, the original MissingIamPermissionsError can still be seen in --trace output, as it is registered as the Error#cause
As highlighted in envato#362, if the current account ID doesn't match anything in the allowed accounts list, and the current principal doesn't have iam:ListAccountAliases privileges, Identity#running_in_account? will fail due to an attempt to get account aliases. This adds an erroring test case for that scenario, and the corresponding expected failure when account aliases are actually in use.
When the current account ID doesn't match any of the provided allowed_accounts, Identity would automatically fetch listed aliases. If the principal didn't have permissions to retrieve those, this would result in an error. When all of the provided "allowed account" values are valid AWS account IDs, it's currently impossible that an account alias would match, so we can skip the call, avoiding the potential permissions issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor question
|
||
contains_account_alias?(accounts) | ||
rescue MissingIamPermissionsError | ||
raise AllowedAccountAliasesError, 'Failed to validate whether the current AWS account is allowed' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mask the access denied error message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I noted that you can work around that if you're investigating the issue:
Note that the previous error message (identifying the missing IAM permission) is no longer shown, but can be seen with
--trace
, as theMissingIamPermissionsError
is recorded as theError#cause
of theAllowedAccountAliasesError
.
I'll update the changelog. Should I also bump the version number? Will we cut a release for this change, or will we wait? |
@liamdawson changes are pretty infrequent so I think we'd be better bumping this with a minor version change. |
Per #362, there's some opportunity for improvement around allowed account logic. This PR introduces two changes:
Return a more contextual error message when
Identity#account_aliases
raises an IAM permissions error inIdentity#running_in_account?
— previously, users had to examine the stack trace to work out which part of the application logic triggered the error.Note that the previous error message (identifying the missing IAM permission) is no longer shown, but can be seen with
--trace
, as theMissingIamPermissionsError
is recorded as theError#cause
of theAllowedAccountAliasesError
.Avoid checking the current account's aliases against the
allowed_accounts
list if all values are 12-digit numbers (i.e. AWS account IDs) — considering the way AWS account aliases are used, it should not be possible to use a 12-digit number as an account aliasSome tests had to be updated when making this change, as they used AWS account IDs of an incorrect length.