Hi
It seems that with command like this
aws --profile=my-user-tenant1 --endpoint=$HOST_S3_API --region="" iam
create-role --role-name="tenant2\$TemporaryRole"
--assume-role-policy-document file://json/trust-policy-assume-role.json
I can create a role in another tenant.
Executing user have roles:* capability which I think is necessary to be
able to create roles, but at the same time it seems to be a global ability,
for all tenants.
Similarly, a federated user who assumes a role with iam:CreateRole
permission
can create an arbitrary role like below.
aws --endpoint=$HOST_S3_API --region="" iam create-role
--role-name="tenant2\$TemporaryRole" --assume-role-policy-document
file://json/trust-policy-assume-role.json
Example permission policy
{
"Statement":[
{"Effect":"Allow","Action":["iam:GetRole"]},
{"Effect":"Allow","Action":["iam:CreateRole"]}
]
}
Capability roles:* is not needed in this case, which I think is correct,
because only permission policy of the assumed role is checked.
Getting information about a role from other tenants is possible with
iam:GetRole.
This is less controversial but I would still expect it to be scoped to the
user's tenant unless explicit tenant name is stated in the policy like this
{"Effect":"Allow","Action":["iam:GetRole"],"Resource":"arn:aws:iam::tenant2:*"}
Possibly I'm missing something.
Why is crossing tenants possible?
Regards
Daniel
Show replies by date