Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Template for whitelisting selected IAM roles

See original GitHub issue

We would like to have a template which allows only selected roles for given users. All other IAM bindings should be reported as violations. So instead of blacklisting all other roles, we would like to whitelist only few of them.

Example:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedRolesConstraintV1
metadata:
  name: whitelist_roles
  annotations:
    description: Only test.com groups can have appengine.appViewer and logging.viewer roles. All others bindings are not allowed.
spec:
  severity: high
  match:
    target: ["organization/*"]
    exclude: [] # optional, default is no exclusions
  parameters:
    role:
    - roles/appengine.appViewer
    - roles/logging.viewer
    members:
    - "group:*@test.com"

Issue Analytics

State:
Created 4 years ago
Comments:9 (7 by maintainers)

Top GitHub Comments

1reaction

FanchenBaocommented, Jul 25, 2019

I agree with morgante. Use iam_restrict_role constraint for each whitelisted role. They can detect any member that is not allowed to have such roles. Then you can either modify an existing template to whitelist the given roles, or you can write the template yourself. For example, the rego code for the template can be like this:

package templates.gcp.GCPIAMWhitelistRolesConstraintV1
            
import data.validator.gcp.lib as lib

deny[{
    "msg": message,
    "details": metadata,
}] {
    constraint := input.constraint
    lib.get_constraint_params(constraint, params)
    asset := input.asset

    binding := asset.iam_policy.bindings[_]
    role := binding.role

    whitelist := lib.get_default(params, "whitelist_roles", [])
    whitelist_set := {ele | ele := whitelist}

    not whitelist_set[role]

    message := sprintf("IAM policy for %v does not allow role %v", [asset.name, role])

    metadata := {
        "resource": asset.name,
        "role": role,
    }
}

And the constraint can be like this:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMWhitelistRolesConstraintV1
metadata:
  name: whitelist_roles
  annotations:
    description: Only the roles in this whitelist can be allowed
spec:
  severity: high
  match:
    target: ["organization/*"]
    exclude: [] # optional, default is no exclusions
  parameters:
    whitelist_roles:
    - "roles/appengine.appViewer"
    - "roles/logging.viewer"

0reactions

AdrienWalkowiakcommented, Feb 18, 2020

Closing as this is likely resolved now.