Closed christophetd closed 3 years ago
I want to fully support this in the next iteration of PMapper. It's mostly ready in the v1.1.0-dev
branch, you'll want to use search_authorization_with_resource_policy_for
in principalmapper.query_interface
which will consider both the calling principal's authorization and the resource policy (trust doc) of the assumed role.
Sounds good! But how does that play with data collection? Do I need to create one graph per account, and then query the proper principal in the correct graph?
You'd need one graph per account, then query against account1/user
while pulling in the trust doc from account2/role
.
Branch v1.1.0-dev
has a new module principalmapper.graphing.cross_account_edges
with a function named get_edges_between_graphs
that does all the legwork of building all Edge
objects when given two Graph
objects. Closing this issue.
I'm trying to use
search_authorization_for
to search for / validate inter and cross-account role assumptions.Inter-account role assumption
Having a user
myuser
being able to assumemyrole
, I can validate the behavior:Cross-account role assumption
User
account1/user
can assume a roleaccount2/role
.How would you go about this? I'm not sure it's possible using PMapper. Using
graph.get_node_by_searchable_name
to search for the source principal in a different account won't work ifgraph
was generated in the context of the target account.Thank you!