New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
write-policy: ABAC support, i.e., Condition Keys #21
Comments
… the scaffoldign needed for #21
Here's what I'm thinking. Current state
Future stateHowever, if we are able to support Lazy Condition Keys, we'd have to optionally support longer SIDs to identify unique condition keys.
QuestionHey @0xdabbad00 - I want to ask your opinion on this.
|
I am going to mark this as won't fix. The level of effort to add this feature is quite large. I don't have the capacity for it right now, but if anyone wants to pick it up in the future, please open a new issue and I'm happy to consult/assist. |
Just speculating here on how we might implement condition keys support.
There would have to be two separate functions available to users.
First, there would have to be a command to list out a table of
service
,action_name
,resource_type
,raw_arn
, and Condition Keys. This way, a user could identify which condition key they would want to include in their policy.Second, there would have to be a way for the user to supply the condition key to the
crud.yml
oractions.yml
, using something under the current structure. Given that our goal is to abstract the complexity of IAM to the user, we'd want to allow the user to say "I know how condition keys work, but don't feel like determining all the cases where it does or does not apply for specific actions per ARN, so use this condition key wherever possible, and here's the value that I want it to use.Notice how in the above yml file, there are two different places where conditions will be valid:
kms:CallerAccount
with a value of123456789012
. However, this will not apply to other CRUD/ARN pairs unless otherwise specifieduniversal-conditions
. This will say, "wherever we are able to use the condition keyaws:ResourceTag
, set it toaws:ResourceTag/${TagKey}
with the K/V pair ofTagKey
,TagValue
.The text was updated successfully, but these errors were encountered: