Some policies (i.e. iam_allowed_bindings) automatically convert a string with the single character * to a super-glob (**). This is unclear to users, who might assume that a wildcard (*) would be valid throughout the string (which it is not -- it must be explicitly set as a superglob). For context, the specific use case I am trying to solve for is ensuring that only service accounts can be owners on projects -- for which I initially wrote a constraint as follows:
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: deny_role_project_owner_to_users
annotations:
description: Ban any individual users from being granted Owner/Editor primative roles
# This constraint is not certified by CIS.
bundles.validator.forsetisecurity.org/cis-v1.1: 1.05
spec:
severity: high
match:
target:
- "organizations/**"
exclude: [] # optional, default is no exclusions
parameters:
mode: denylist
members:
- "user:*"
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/owner
This does not work as expected. A constraint that achieves the desired result reads as follows (note the one-character difference in the first members entry):
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV3
metadata:
name: deny_role_project_owner_to_users
annotations:
description: Ban any individual users from being granted Owner/Editor primative roles
# This constraint is not certified by CIS.
bundles.validator.forsetisecurity.org/cis-v1.1: 1.05
spec:
severity: high
match:
target:
- "organizations/**"
exclude: [] # optional, default is no exclusions
parameters:
mode: denylist
members:
- "user:**"
assetType: cloudresourcemanager.googleapis.com/Project
role: roles/owner
I see two possible solutions here:
Mention this developer experience friction in a README, or make it more clear in samples. This feels like a band-aid, but could be a stopgap to avoid farther-reaching changes.
Some policies (i.e.
iam_allowed_bindings
) automatically convert a string with the single character*
to a super-glob (**
). This is unclear to users, who might assume that a wildcard (*
) would be valid throughout the string (which it is not -- it must be explicitly set as a superglob). For context, the specific use case I am trying to solve for is ensuring that only service accounts can be owners on projects -- for which I initially wrote a constraint as follows:This does not work as expected. A constraint that achieves the desired result reads as follows (note the one-character difference in the first
members
entry):I see two possible solutions here:
s/^\*$/\*\*/
, and we might reasonably considers/\*/\*\*/g
to be the better solution.