search

kubernetes-sigs / aws-efs-csi-driver

CSI Driver for Amazon EFS https://aws.amazon.com/efs/
Apache License 2.0
693 stars 526 forks source link

controller.tags does not work with AmazonEFSCSIDriverPolicy #1335

Open emboss64 opened 2 months ago

emboss64 commented 2 months ago

/kind bug

What happened? When deploying the latest version of the helm chart (probably happening with any other version as well) and specifying any additional tags for controller.tags this tags are added to the AccessPoint. As the AmazonEFSCSIDriverPolicy only allows the elasticfilesystem:TagResource and elasticfilesystem:CreateAccessPoint for the tag efs.csi.aws.com/cluster you get an AccessDenied.

If you then add an additional custom policy to the role with the following permissions it works:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:TagResource",
                "elasticfilesystem:CreateAccessPoint"
            ],
            "Resource": "*"
        }
    ]
}

What you expected to happen? Make the policy allow this actions or document the need of a custom policy if tags are specified

How to reproduce it (as minimally and precisely as possible)? Just add a custom tag to the controller:

  set {
  name    = "controller.tags.customTag"
  value   = "1234"
  }

Please also attach debug logs to help us better diagnose In the pod you get:

I0430 19:51:33.573336       1 controller.go:289] Using user-specified structure for access point directory.
I0430 19:51:33.573395       1 controller.go:295] Appending PVC UID to path.
I0430 19:51:33.573428       1 controller.go:313] Using /dynamic_provisioning/pvc-57b7e5f6-6d5c-4b37-96a8-f187addcc915-00019b17-0d6c-4041-868c-5d445bd402ca as the access point directory.
E0430 19:51:33.601089       1 driver.go:106] GRPC error: rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied

In cloudtrail for the CreateAccessPoint event you get:

    "errorMessage": "User: arn:aws:sts::xxxx:assumed-role/xxxx-role-csi-efs/1714504702512126936 is not authorized to perform: elasticfilesystem:TagResource on the specified resource",

and once sort that that you get:

    "errorMessage": "User: arn:aws:sts::xxxx:assumed-role/xxxx-role-csi-efs/1714504702512126936 is not authorized to perform: elasticfilesystem:CreateAccessPoint on the specified resource",
RyanStan commented 2 months ago

Hi @emboss64 , we cannot modify the AmazonEFSCSIDriverPolicy policy to allow arbitrary tags on the access point. This could be a security risk and lead to privilege escalation, as tags are often used for controlling access to resources. If you choose to do this, you'll need to create a separate policy.

emboss64 commented 2 months ago

I know, that's why I suggested adding proper documentation that adding tags also requires the use of an additional policy