`elasticloadbalancing:DescribeTags` not added

iann0036 / iamlive

Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy

MIT License

3.07k stars 106 forks source link

`elasticloadbalancing:DescribeTags` not added #36

Open rileytg opened 3 years ago

rileytg commented 3 years ago

When I run terraform apply as an admin, it works with 0 changes. When I apply the generated policy to a new user, I get ... is not authorized to perform: elasticloadbalancing:DescribeTags

Adding this fixes my issue:

~ Action   = [
                            # (14 unchanged elements hidden)
                            "elasticloadbalancing:DescribeListeners",
                          + "elasticloadbalancing:DescribeTags",
                        ]

I saw some chatter on an issue that this can be updated in iamlivecore/map.json, but didn't follow enough to submit a pull. Happy to do so with some guidance.

rileytg commented 3 years ago

upon further review of my generated policy, some DescribeTags did get added with the specific ARN, but don't work.

        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeTags"
            ],
            "Resource": "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:123123:listener/app/epayit-test-alb/asdfasdfaf/asdfasdf"
        }

perhaps the ARN was wrong? (too bust atm to got back and test. will do it if i can later)

rileytg commented 3 years ago

(redacted values in my arn fyi)

iann0036 commented 3 years ago

Hey @rileytg,

Thanks for raising!

Looking over your ARN, it looks like there is one too many components at the end. Does removing the last part and its slash resolve your issue? i.e.

            "Resource": "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:123123:listener/app/epayit-test-alb/asdfasdfaf"

Regarding edits to the data source, the map is sourced from https://github.com/iann0036/iam-dataset/blob/main/map.json periodically, so edits are welcomed over there.

rileytg commented 3 years ago

ya that was the resolution. i did a bunch of manual cleanups regarding this.

would i read the go code to figure out the format for map.json? or is it some kinda standard?

rileytg commented 3 years ago

i opened this ticket thinking that the generated ARNs are incorrect (aka bug), am i misunderstanding?

iann0036 commented 3 years ago

Hey @rileytg,

I realise my initial response was incorrect and that the original value you had should have worked. Per the SAR, the correct format is:

arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener/app/${LoadBalancerName}/${LoadBalancerId}/${ListenerId}

Could you reconfirm your fix?

rileytg commented 3 years ago

my fix was lazy 😞

i did:

arn:${Partition}:elasticloadbalancing:${Region}:${Account}:listener/*

i’ll need to tighten this down over the coming weeks and i’ll update here if my work is useful to others/this project.

thanks for all your work here, this has been an incredible help.