New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support paths in AWS instance profiles for AWS IID node attestation #2825
Support paths in AWS instance profiles for AWS IID node attestation #2825
Conversation
Thanks for fixing this @appian-ashugarts!
For my own edification, do you have a link to this part of the documentation? |
Sure @azdagron! Here you go: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html and https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html. I admit you have to squint a little to get the simplified summary I wrote though 😄 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After reading, I am satisfied with your explanation :) And again, thanks for the contribution!
Would you mind either 1) rebasing this on latest |
Referencing issue spiffe#2796, when an instance profile has a path in the ARN (say `arn:aws:iam::123412341234:instance-profile/some/path/profile-name`) the AWS IID node attestor attempts to get the instance profile information from AWS passing in both the path and the name (`some/path/profile-name`). AWS, however, considers only the name (`profile-name`) to be relevant and returns a ValidationError if the path is included as the forward slashes in the path are considered invalid. AWS IAM documentation indicates that profile names are simply EC2 specific versions of role names which are guaranteed to be unique regardless of path. The fix for the node attestor is to pull out only the name of the instance profile from the string that was previously being passed in. Signed-off-by: Andrew Shugarts <andrew.shugarts@appian.com>
b8b89c3
to
0a75560
Compare
Should be rebased, I'm sure you'll let me know if I've borked it though haha |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
Pull Request check list
Affected functionality
Server AWS IID node attestor plugin
Description of change
Referencing issue #2796, when an instance profile has a path in the
ARN (say
arn:aws:iam::123412341234:instance-profile/some/path/profile-name
)the AWS IID node attestor attempts to get the instance profile
information from AWS passing in both the path and the
name (
some/path/profile-name
). AWS, however, considers only thename (
profile-name
) to be relevant and returns a ValidationError ifthe path is included as the forward slashes in the path are considered
invalid. AWS IAM documentation indicates that profile names are simply
EC2 specific versions of role names which are guaranteed to be unique
regardless of path. The fix for the node attestor is to pull out only
the name of the instance profile from the string that was previously
being passed in.
Which issue this PR fixes
Fixes #2796