Escaping colon character in key #558

N0rb3rtT · 2024-03-08T00:33:25Z

N0rb3rtT
Mar 8, 2024

Hi All,

I am new to Rego and I got a task at hand to evaluate AWS IAM policies, look for specific strings within each policies and fail / pass based on the result.

So far everything works as expected except when the AWS IAM policy got a colon in the key:

"StringEquals": {
    "connect:InstanceId": [
                        "123456",
                        "987654"
                    ]
                }

I tested two different scenarios in playground:

1.) Replaced colon with underscore between "connect" and "InstanceId" to ensure that my policy gets evaluated correctly:

Policy:

package demo

default result = "fail"

expectedStatementInstanceId := ["123456", "987654"]

result = "pass" {
	expectedStatementInstanceId == input.Statement[0].Condition.StringEquals.connect_InstanceId
}

Input:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement",
            "Effect": "Allow",
            "Action": "connect:GetFederationToken",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "connect_InstanceId": [
                        "123456",
                        "987654"
                    ]
                }
            }
        }
    ]
}

Output:

{
    "expectedStatementInstanceId": [
        "123456",
        "987654"
    ],
    "result": "pass"
}

Expected behaviour.

2.) Used original AWS IAM policy with colon between "connect" and "InstanceId":

Policy:

package demo

default result = "fail"

expectedStatementInstanceId := ["123456", "987654"]

result = "pass" {
	expectedStatementInstanceId == input.Statement[0].Condition.StringEquals.connect:InstanceId
}

Input:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement",
            "Effect": "Allow",
            "Action": "connect:GetFederationToken",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "connect:InstanceId": [
                        "123456",
                        "987654"
                    ]
                }
            }
        }
    ]
}

Output:

1 error occurred: policy.rego:8: rego_parse_error: unexpected : token: expected \n or ; or }
	expectedStatementInstanceId == input.Statement[0].Condition.StringEquals.connect:InstanceId

Error evaluating.

I would like to know if there is a way to escape the colon character between "connect" and "InstanceID" when I am writing a policy in Rego?

Thank you. 😊

Answered by anderseknert

Mar 8, 2024

input.Statement[0].Condition.StringEquals["connect:InstanceId"]

🙂

View full answer

anderseknert · 2024-03-08T00:52:04Z

anderseknert
Mar 8, 2024
Maintainer

input.Statement[0].Condition.StringEquals["connect:InstanceId"]

🙂

1 reply

N0rb3rtT Mar 8, 2024
Author

You are a star, thank you very much! 😉 👍

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Open Policy Agent

Escaping colon character in key #558

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Open Policy Agent

Escaping colon character in key #558

N0rb3rtT Mar 8, 2024

1.) Replaced colon with underscore between "connect" and "InstanceId" to ensure that my policy gets evaluated correctly:

2.) Used original AWS IAM policy with colon between "connect" and "InstanceId":

Replies: 1 comment · 1 reply

anderseknert Mar 8, 2024 Maintainer

N0rb3rtT Mar 8, 2024 Author

N0rb3rtT
Mar 8, 2024

Replies: 1 comment 1 reply

anderseknert
Mar 8, 2024
Maintainer

N0rb3rtT Mar 8, 2024
Author