search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.84k stars 1.42k forks source link

AccessDeniedException: User is not authorized to access the web ACL #520

Closed kumudt closed 5 years ago

kumudt commented 6 years ago

Looks like there was some error in the IAM policy example. Whenever, I set a WebACL annotation on one of the ingresses, I get the following errors.

AccessDeniedException: User is not authorized to access the web ACL

The issue is that policy doesn't have access to the waf-regional resources.

ALB Ingress Controller Version: on both v1.0-beta4 and v1.0-beta5.

Issue got resolved after making some changes to the policy. Will create a PR for the same.

anhpham1509 commented 6 years ago

@kumudt I think the example policy had it already:

https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/examples/iam-policy.json#L70

https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/examples/iam-policy.json#L81

Anw, I'm not sure if it should be updated to use

"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL"

instead of 

"waf:AssociateWebACL",
"waf:DisassociateWebACL"
kumudt commented 6 years ago

@anhpham1509 It needs 

"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"waf:GetWebACL"
kumudt commented 6 years ago

These are invalid IAM Policy Rules

"waf:AssociateWebACL",
"waf:DisassociateWebACL"