minor fix the IAM user arn verification

kubernetes-sigs · Dec 10, 2023 · 61b6ec4 · 61b6ec4
1 parent 8309d67
commit 61b6ec4
Showing 1 changed file with 10 additions and 19 deletions.
diff --git a/pkg/mapper/dynamicfile/mapper.go b/pkg/mapper/dynamicfile/mapper.go
@@ -3,6 +3,7 @@ package dynamicfile
 import (
 	"strings"
 
+	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/config"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/errutil"
@@ -46,35 +47,25 @@ func (m *DynamicFileMapper) Map(identity *token.Identity) (*config.IdentityMappi
 	}
 
 	if roleMapping, err := m.RoleMapping(key); err == nil {
-		if err := m.match(identity, roleMapping.RoleARN, roleMapping.UserId); err != nil {
-			return nil, err
-		}
 		return roleMapping.IdentityMapping(identity), nil
 	}
 
 	if userMapping, err := m.UserMapping(key); err == nil {
-		if err := m.match(identity, userMapping.UserARN, userMapping.UserId); err != nil {
-			return nil, err
+		if !m.userIDStrict {
+			return userMapping.IdentityMapping(identity), nil
+		}
+		// compare arn additionally for IAM user if principalId is used in mapping
+		strippedArn, _ := arn.StripPath(userMapping.UserARN)
+		if strippedArn != "" && canonicalARN != strings.ToLower(strippedArn) {
+			logrus.Infof("arn not matched though principalId match. arn from STS response is %s, arn in mapper is %s",
+				canonicalARN, strings.ToLower(strippedArn))
+			return nil, errutil.ErrIDAndARNMismatch
 		}
 		return userMapping.IdentityMapping(identity), nil
 	}
-
 	return nil, errutil.ErrNotMapped
 }
 
-func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID string) error {
-	if m.userIDStrict {
-		// If ARN is provided, ARN must be validated along with UserID.  This avoids having to
-		// support IAM user name/ARN changes. Without preventing this the mapping would look
-		// invalid but still work and auditing would be difficult/impossible.
-		strippedArn, _ := arn.StripPath(mappedARN)
-		if strippedArn != "" && token.CanonicalARN != strings.ToLower(strippedArn) {
-			return errutil.ErrIDAndARNMismatch
-		}
-	}
-	return nil
-}
-
 func (m *DynamicFileMapper) IsAccountAllowed(accountID string) bool {
 	return m.AWSAccount(accountID)
 }