search

GoogleCloudPlatform / policy-library

A library of constraint templates and sample constraints for Constraint Framework tools
Apache License 2.0
224 stars 127 forks source link

IAM Custom Role Permissions Constraint V1 #331

Closed hshin-g closed 4 years ago

hshin-g commented 4 years ago

IAM Custom Role Permissions Constraint V1

This PR creates an IAM Policy Custom Role Permissions constraint that checks whether the user defined permissions are either allowed or denied in a user defined custom role.

A sample playground for this constraint is provided here.

This constraint provides the following features:

  1. mode
    • Enforcement mode, [denylist, allowlist] , defaults to allowlist.
  2. title
    • The custom role title to scan for, found on the IAM Roles page.
    • E.g. 'My Custom Role for BigQuery'
  3. permissions
    • Permissions to either allow or deny for the given custom role, depending on mode; Wildcards (*) supported.
    • E.g. 'bigquery.datasets.*' will search for any permissions that start with bigquery.datasets, such as bigquery.datasets.get
    • E.g. 'bigquery.**' will search for any permissions that start with bigquery, such as bigquery.savedqueries.get, bigquery.config.get
    • E.g. '*' will search for any permissions

Also included in this PR:

morgante commented 4 years ago

@hshin-g Looks like tests are failing.

hshin-g commented 4 years ago

Thanks for the check! It looks like my branch hadn't been updated with the newest master. Should be fixed now- thanks!