New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creation of a RoleSet wipes conditions from the IAM Policy #113
Comments
trolleksii
added a commit
to trolleksii/vault-plugin-secrets-gcp
that referenced
this issue
Jun 15, 2021
This test case simply checks if the number of conditions in the policy didn't change after policy update. This test will fail due to the bug [hashicorp#113](hashicorp#113).
trolleksii
added a commit
to trolleksii/vault-plugin-secrets-gcp
that referenced
this issue
Jun 15, 2021
This test case simply checks if the number of conditions in the policy didn't change after policy update. This test will fail due to the bug [hashicorp#113](hashicorp#113).
Prepared the PR#114 to fix the bug. |
Hello, |
maxcoulombe
pushed a commit
that referenced
this issue
Dec 23, 2022
Fix was reviewed and merged. Thanks for looking into this! I'll take care of the merge back into Vault so the fix in part of the upcoming 1.13 release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are using both IAM Bindings with time expiry conditions to grant users temporary access to GCP resources and Vault GCP Secrets Engine to issue Service Account keys for our pipelines. We noticed that conditions disappear after the RoleSet creation/update, effectively making all our temporary access grants(including ones that already expired) permanent.
How to reproduce:
gcloud projects get-iam-policy <PROJECT_ID>
), the condition will be present.gcloud projects get-iam-policy <PROJECT_ID>
) again. The condition will be missing.This example is for the Project Role Bindings but the same behavior can be observed with other resources.
It seems like the bug is caused by the
ChangedBindings
function in the plugin/iamutil/iam_policy.go. It fails to copy the conditions to the updated IAM Policy Object.I will submit the PR to fix this shortly.
The text was updated successfully, but these errors were encountered: