Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce Pulumi APIs Permission to Least Required for All Blob Storage (S3, Blob, GCP Bucket, etc). #73

Open
phillipedwards opened this issue Aug 18, 2022 · 0 comments
Open

Reduce Pulumi APIs Permission to Least Required for All Blob Storage (S3, Blob, GCP Bucket, etc). #73

phillipedwards opened this issue Aug 18, 2022 · 0 comments
Labels
area/self-hosted impact/security kind/enhancement Improvements or new features

Comments

@phillipedwards
Copy link
Contributor

phillipedwards commented Aug 18, 2022
edited
Loading

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently, the k8s Service Account used in the EKS installer uses the AmazonS3FullAccess Policy which is not only unnecessary, it is a gross over application of permissions, granting the service account full access to all S3 buckets in an account.

See: https://github.com/pulumi/pulumi-self-hosted-installers/blob/master/eks-hosted/03-apps/rbac.ts#L34

Reduce the scope of S3 Access for the service account to the specific buckets and actions needed for the Pulumi Service.

Note, all self-hosted installers should follow the below model shown with the ECS installer. That is, use least required privileges for blob storages.

Affected area/feature

Example of fix for the ECS Installer:

pulumi-self-hosted-installers/ecs-hosted/go/application/service/apiService.go

Lines 359 to 373 in 178f245

policyDoc, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
{
"Effect": "Allow",
"Action": []string{"s3:*"},
"Resource": []string{
checkpointBucketArn,
fmt.Sprintf("%s/*", checkpointBucketArn),
policypackBucketArn,
fmt.Sprintf("%s/*", policypackBucketArn),
},
},
},
})

@phillipedwards phillipedwards added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team impact/security area/self-hosted labels Aug 18, 2022
@phillipedwards phillipedwards self-assigned this Aug 18, 2022
@EvanBoyle EvanBoyle removed the needs-triage Needs attention from the triage team label Aug 19, 2022
@phillipedwards phillipedwards changed the title EKS Installer - Reduce EKS Service Account Role's Access to S3 Buckets Reduce Pulumi APIs Permission to Least Required for All Blob Storage (S3, Blob, GCP Bucket, etc). Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/self-hosted impact/security kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EvanBoyle @phillipedwards