Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit iam:CreateServiceLinkedRole permission to specific role #416

Open
gabegorelick opened this issue Feb 4, 2020 · 4 comments
Open

Limit iam:CreateServiceLinkedRole permission to specific role #416

gabegorelick opened this issue Feb 4, 2020 · 4 comments

Comments

@gabegorelick
Copy link
Contributor

Github issue

Issue type

  • Feature Idea

Build number

master

Summary

iam:CreateServiceLinkedRole was added in #205 and is a fairly major permission to grant to AutoSpotting. In reality, I think it only needs to create the AWSServiceRoleForEC2Spot service-linked role. Thus, its permissions could be limited to that specific resource.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html.

Steps to reproduce

Deploy

Expected results

AutoSpotting only has permission to create the service-linked role it needs.

Actual results

AutoSpotting has permission to create any service-linked role.

@cristim
Copy link
Member

cristim commented Feb 4, 2020

@gabegorelick is it possible to restrict this permission only for the AWSServiceRoleForEC2Spot service-linked role?

@gabegorelick
Copy link
Contributor Author

is it possible to restrict this permission only for the AWSServiceRoleForEC2Spot service-linked role?

Yes. I've verified the following works:

Effect: Allow
Action:
  - 'iam:CreateServiceLinkedRole'
Resource:
  - !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot'

I can throw together a PR if you want.

@cristim
Copy link
Member

cristim commented Feb 5, 2020

By all means!

My IAM policy knowledge needs a refresh, this is awesome, thanks!

@cristim
Copy link
Member

cristim commented Mar 6, 2023

Fixing this in the next version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants