Open ConnorJC3 opened 1 month ago
Hi, thanks for the heads up about this. I'm looking at our existing policy which has the following statement:
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
}
},
I'm not sure what the behaviour is here. Would the request:
ebs.csi.aws.com/cluster
tag to the newly created volume and RequestTag does not evaluate the existing tags on resources?ebs.csi.aws.com/cluster
tag?@nikki-quant it would succeed to authorize on the volume (as the volume the driver creates will have that tag), but fail to authorize on the snapshot (because condition keys that are not present evaluate to false, thus the RequestTag
condition will evaluate to false).
Today CreateVolume
only checks volume authorization, thus the call succeeds. Once AWS changes this to also check snapshot authorization, the CreateVolume
call will fail because the snapshot will fail to authorize (unless the policy is updated to add a statement authorizing the snapshot as this issue explains).
Summary
In January of 2025, AWS will change the handling of IAM polices authorizing the
CreateVolume
action. Previously, only the created volume was authorized when usingCreateVolume
to restore a snapshot. After the change, the snapshot being restored will also be authorized. Because of this change, the policy being used for the EBS CSI Driver must grant explicit access to the snapshot being restored.If no action is taken before the change takes place, the EBS CSI Driver will be unable to restore snapshots when creating a volume.
Determine Impact
All installations of the EBS CSI Driver that restore snapshots are potentially impacted. If you use the EBS CSI Driver to restore snapshots (or may do so in the future), you should continue reading to the remediation steps below.
Affected accounts may have received an automated email from AWS titled "[Action Required] Review Permission Policies in CreateVolume API" to the email address associated with the AWS account.
Remediation:
AmazonEBSCSIDriverPolicy
Managed PolicyIf your EBS CSI Driver installation uses the
AmazonEBSCSIDriverPolicy
managed policy, no action is required on your part. An update to this policy will be automatically performed by AWS prior to the roll out of the IAM change. A notice will be posted to this issue after the managed policy update is complete and available globally.Remediation: Custom (Not AWS Managed) Policy
If your EBS CSI Driver installation uses any non-managed policy, an update is likely necessary. Update your policy to contain a statement similar to the example below:
This example will grant the EBS CSI Driver access to restore all EBS snapshots in the AWS account (this is the existing behavior on the example policy).
The documented example policy has been updated to reflect these changes. See the latest example policy for a full example.
Support
If you have any questions about this change and how it impacts the EBS CSI Driver, please reach out by responding to this issue or opening a new one. If you need general support for IAM, EBS, or AWS, please reach out to AWS Support.