Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Fix AllowGetCertificates statement scope for ALB controller role #196

Merged
merged 2 commits into from
Jun 30, 2023
Merged

Conversation

wfrced
Copy link
Contributor

@wfrced wfrced commented Jun 28, 2023

What does this PR do?

This PR fixes the AllowGetCertificates statement in the IAM policy for ALB controller role.

The included IAM policy for ALB controller sets incorrect permissions for AllowGetCertificates statement. It prevents ALB controller from accessing ACM certificates and makes it impossible to use the certificate search functionality, resulting in errors like AccessDeniedException: User: arn:aws:sts::433222222257:assumed-role/alb-controller-20230620120130875800000002/1687883887660094198 is not authorized to perform: acm:ListCertificates because no identity-based policy allows the acm:ListCertificates action"

This is a result of limiting the statement to the following resources:

"arn:${local.partition}:acm:${local.region}:${local.account_id}:*",
"arn:${local.partition}:acm:${local.region}:${local.account_id}:certificate/*"

The actions do not take limits and only allow a wildcard ("*") resource access.

Resolves #198

@wfrced wfrced requested a review from a team as a code owner June 28, 2023 09:49
@wfrced wfrced changed the title fix: fix AllowGetCertificates statement scope for ALB controller role fix: Fix AllowGetCertificates statement scope for ALB controller role Jun 28, 2023
@askulkarni2
Copy link
Contributor

@wfrced can you please open an issue describing your use-case and provide some sample code so we can try to reproduce.

@wfrced
Copy link
Contributor Author

wfrced commented Jun 29, 2023

@askulkarni2 Sure! It's there #198

@bryantbiggs bryantbiggs merged commit f120cc1 into aws-ia:main Jun 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ALB Controller unable to search for certificates in AWS Certificate Manager
3 participants