You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, on logging in to cloud-gate, a user receives credentials for all of the accounts that they have access to.
Steps to reproduce
Login to cloud-gate on UI or via CLI.
Impact
Even though these are short lived credentials, they should be granted on a need/per request basis instead of giving all the creds. This way a user is only given creds to a particular account/role instead of all roles. Restricting creds on a need/request basis is good from an attack surface perspective.
Remediation
Would be good to grant only the credentials that were requested by the user for both the CLI and the UI.
The text was updated successfully, but these errors were encountered:
Issue
Currently, on logging in to cloud-gate, a user receives credentials for all of the accounts that they have access to.
Steps to reproduce
Login to cloud-gate on UI or via CLI.
Impact
Even though these are short lived credentials, they should be granted on a need/per request basis instead of giving all the creds. This way a user is only given creds to a particular account/role instead of all roles. Restricting creds on a need/request basis is good from an attack surface perspective.
Remediation
Would be good to grant only the credentials that were requested by the user for both the CLI and the UI.
The text was updated successfully, but these errors were encountered: