From 7c3b03b63e559e2f294fbceff9a53a9e07cdf216 Mon Sep 17 00:00:00 2001 From: Conrado Miranda Date: Thu, 7 Sep 2023 14:38:24 -0700 Subject: [PATCH 1/2] feat: Relax policy constraints --- role-policy.json | 122 +++++------------------------------------------ 1 file changed, 11 insertions(+), 111 deletions(-) diff --git a/role-policy.json b/role-policy.json index fb357f0..73dfdd0 100644 --- a/role-policy.json +++ b/role-policy.json @@ -12,71 +12,18 @@ { "Sid": "AutoscalingAll", "Effect": "Allow", - "Action": [ - "autoscaling:Create*", - "autoscaling:Describe*", - "autoscaling:AddTags" - ], - "Resource": "*" - }, - { - "Sid": "AutoscalingTag", - "Effect": "Allow", "Action": [ "autoscaling:*" ], - "Resource": "*", - "Condition": { - "StringLike": { - "autoscaling:ResourceTag/verta.ai/managed": "true" - } - } - }, - { - "Sid": "AutoscalingArn", - "Effect": "Allow", - "Action": [ - "autoscaling:*" - ], - "Resource": "arn:aws:autoscaling:*:*:*:*:*/eks-verta-mgt-*" - }, - { - "Sid": "EC2all", - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:Create*", - "ec2:Describe*", - "ec2:ImportKeyPair", - "ec2:RunInstances" - ], "Resource": "*" }, { - "Sid": "EC2tag", - "Effect": "Allow", - "Action": [ - "ec2:*" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/verta.ai/managed": "true" - } - } - }, - { - "Sid": "EC2tag2", + "Sid": "EC2all", "Effect": "Allow", "Action": [ "ec2:*" ], - "Resource": "*", - "Condition": { - "StringLike": { - "ec2:ResourceTag/kubernetes.io/cluster/verta-mgt-${var.cluster_name}": "owned" - } - } + "Resource": "*" }, { "Sid": "Decode", @@ -86,41 +33,13 @@ ], "Resource": "*" }, - { - "Sid": "EC2arn", - "Effect": "Allow", - "Action": [ - "ec2:*" - ], - "Resource": "arn:aws:ec2:*:*:*/verta-mgt-*" - }, - { - "Sid": "EC2GA", - "Effect": "Allow", - "Action": "ec2:DeleteSecurityGroup", - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/AWSServiceName": "GlobalAccelerator" - } - } - }, { "Sid": "ECRAll", "Effect": "Allow", - "Action": [ - "ecr:GetRegistryScanningConfiguration", - "ecr:PutRegistryScanningConfiguration" - ], - "Resource": "*" - }, - { - "Sid": "ECRarn", - "Effect": "Allow", "Action": [ "ecr:*" ], - "Resource": "arn:aws:ecr:*:*:repository/verta-mgt-*" + "Resource": "*" }, { "Sid": "EKSall", @@ -128,7 +47,7 @@ "Action": [ "eks:*" ], - "Resource": "arn:aws:eks:*:*:*/verta-mgt-*" + "Resource": "*" }, { "Sid": "GA", @@ -145,9 +64,7 @@ "iam:*" ], "Resource": [ - "arn:aws:iam::*:policy/verta-mgt-*", - "arn:aws:iam::*:role/verta-mgt-*", - "arn:aws:iam::*:instance-profile/verta-mgt-*" + "arn:aws:iam::*:*/verta-mgt-*" ] }, { @@ -198,45 +115,28 @@ { "Sid": "LoadbalancingAll", "Effect": "Allow", - "Action": [ - "elasticloadbalancing:Describe*", - "elasticloadbalancing:Create*" - ], - "Resource": "*" - }, - { - "Sid": "LoadbalancingARN", - "Effect": "Allow", "Action": [ "elasticloadbalancing:*" ], - "Resource": "arn:aws:elasticloadbalancing:*:*:*/verta-mgt-*" + "Resource": "*" }, { "Sid": "RDSall", "Effect": "Allow", "Action": [ - "rds:Describe*" + "rds:*" ], - "Resource": "arn:aws:rds:*:*:*:*" - }, - { - "Sid": "RDSarn", - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": "arn:aws:rds:*:*:*:verta-mgt-*" + "Resource": "*" }, { - "Sid": "S3arn", + "Sid": "S3all", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ - "arn:aws:s3:::verta-mgt-*", - "arn:aws:s3:::verta-mgt-*/*" + "arn:aws:s3:::*", + "arn:aws:s3:::*/*" ] } ] From 789eb1e2e3e62e7690e1e73c7cb0e23a20884904 Mon Sep 17 00:00:00 2001 From: Conrado Miranda Date: Thu, 7 Sep 2023 14:42:47 -0700 Subject: [PATCH 2/2] must specify iam types --- role-policy.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/role-policy.json b/role-policy.json index 73dfdd0..b9ac6f4 100644 --- a/role-policy.json +++ b/role-policy.json @@ -64,7 +64,9 @@ "iam:*" ], "Resource": [ - "arn:aws:iam::*:*/verta-mgt-*" + "arn:aws:iam::*:policy/verta-mgt-*", + "arn:aws:iam::*:role/verta-mgt-*", + "arn:aws:iam::*:instance-profile/verta-mgt-*" ] }, {