Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creation of a RoleSet wipes conditions from the IAM Policy #113

Closed
trolleksii opened this issue Jun 15, 2021 · 3 comments
Closed

Creation of a RoleSet wipes conditions from the IAM Policy #113

trolleksii opened this issue Jun 15, 2021 · 3 comments

Comments

@trolleksii
Copy link
Contributor

We are using both IAM Bindings with time expiry conditions to grant users temporary access to GCP resources and Vault GCP Secrets Engine to issue Service Account keys for our pipelines. We noticed that conditions disappear after the RoleSet creation/update, effectively making all our temporary access grants(including ones that already expired) permanent.

How to reproduce:

  1. Create a Project in GCP.
  2. Grant yourself any Role with any condition.
  3. Get the IAM Policy(gcloud projects get-iam-policy <PROJECT_ID>), the condition will be present.
  4. Create a Roleset with at least one project-scope binding:
vault write gcp/roleset/my-key-roleset \
    project="<PROJECT_ID>" \
    secret_type="service_account_key"  \
    bindings=-<<EOF
      resource "//cloudresourcemanager.googleapis.com/projects/<PROJECT_ID>" {
        roles = ["roles/viewer"]
      }
EOF
  1. Get the IAM Policy(gcloud projects get-iam-policy <PROJECT_ID>) again. The condition will be missing.

This example is for the Project Role Bindings but the same behavior can be observed with other resources.

It seems like the bug is caused by the ChangedBindings function in the plugin/iamutil/iam_policy.go. It fails to copy the conditions to the updated IAM Policy Object.

I will submit the PR to fix this shortly.
trolleksii added a commit to trolleksii/vault-plugin-secrets-gcp that referenced this issue Jun 15, 2021
@trolleksii
add the test case
8efadfb 
This test case simply checks if the number of conditions in the policy didn't change after policy update.
This test will fail due to the bug [hashicorp#113](hashicorp#113).
trolleksii added a commit to trolleksii/vault-plugin-secrets-gcp that referenced this issue Jun 15, 2021
@trolleksii
add the test case
4ccc561 
This test case simply checks if the number of conditions in the policy didn't change after policy update.
This test will fail due to the bug [hashicorp#113](hashicorp#113).
@trolleksii trolleksii mentioned this issue Jun 15, 2021
Merged
@trolleksii
Copy link
Contributor Author

Prepared the PR#114 to fix the bug.

@davidcharbonnier
Copy link

Hello,
Is there any plans from Hashicorp team to take a look at this? Fix is already ready and just needs to be reviewed.
Thank you :)

maxcoulombe pushed a commit that referenced this issue Dec 23, 2022
@trolleksii
Preserve the IAM binding conditions during IAM Policy update (#114)
0c555a0 
* add the test case

This test case simply checks if the number of conditions in the policy didn't change after policy update.
This test will fail due to the bug [#113](#113).

* preserve the IAM bindings contidions
@maxcoulombe
Copy link
Contributor

Fix was reviewed and merged. Thanks for looking into this!

I'll take care of the merge back into Vault so the fix in part of the upcoming 1.13 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidcharbonnier @trolleksii @maxcoulombe