-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sourceArn to sts through headers #749
Add sourceArn to sts through headers #749
Conversation
Hi @haoranleo. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/ok-to-test |
Thanks @bryantbiggs, could you review when you have a chance? |
code wise things look good - but I am not an IAM expert so I'll let Micah or someone else weigh in for final approval /lgtm |
I don't think we can merge this. The additional header is not signed, and can be changed by a middleman. If you did add it to the signed header, thats not backward compatible. We do have an existing scoping/aud check with the cluster ID |
/hold |
Ok, I was misunderstanding, this is about the server side role assumption for EC2 instance verification. Yea I think this check is probably fine to add. |
@micahhausler would you like to review when you have a chance? |
359acd9
to
ea8bd8a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haoranleo, micahhausler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@micahhausler could you remove the hold label? Also PR on release branch #751 |
/unhold |
What this PR does / why we need it:
Add cluster details (clusters_arn and account_id) as headers to STS when assuming a role to make requests. When sourceARN is not empty, it will panic if it fails to parse account id from the sourceARN (same behavior as verifying roleARN).
The reason to add sourceArn and sourceAccount to STS request headers is to avoid confusion deputy issue. AWS IAM supports these global conditional key in IAM roles trust policy https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html, and we want to include the caller identity into the STS requests when assuming the role. We have did same change for CCM in kubernetes/cloud-provider-aws#649
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #