Skip to content

README: fix Condition in IAM policy #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

README: fix Condition in IAM policy #236

wants to merge 3 commits into from

Conversation

vtatarin
Copy link

@vtatarin vtatarin commented Aug 2, 2023

Hello community,

I'm updating the IAM policy from README to reflect the actual way how the datasource is accessing secrets, reference
@vtatarin vtatarin requested a review from a team as a code owner August 2, 2023 23:48
@CLAassistant
Copy link

CLAassistant commented Aug 2, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
@fridgepoet
Copy link
Contributor

Thanks @vtatarin can you tell me a little more context about this one?
For example does the current IAM policy's condition create a problem? Can you tell me how to reproduce it?
@vtatarin
Copy link
Author

vtatarin commented Aug 24, 2023
edited
Loading

hello @fridgepoet ! The current IAM policy is incorrect: None condition is not allowed by AWS IAM API. secretsmanager:ResourceTag/RedshiftQueryOwner tags do not ever have False value.

You can verify this by deploying a redshift cluster to an AWS account and attaching the IAM policy to Grafana IAM User/Role. The current version of IAM policy will not allow you Grafana to fetch any credentials from Secrets and it can be fixed via making the changes to IAM policy that I purpose in this MR.

Here is a reference to the actual plugin code which filters out secrets with credentials. As you can see, it simply filters the secrets that do have such a label (not with a specific value or so). Basically, my fix allows the current plugin filter in code to work correctly.
@fridgepoet
Copy link
Contributor

Hi @vtatarin thanks for that extra information.

I believe we are not checking for a False value, rather we are just checking the existence of this particular key. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Null

We have a Redshift cluster whose access is set via an IAM User with Secrets Manager and the documented minimal IAM policy and I believe I'm observing Grafana is able to fetch those credentials from Secrets.

Let us know if you have more specific steps about reproducing this issue or if I am missing something!
@vtatarin vtatarin closed this Aug 29, 2023
@vtatarin vtatarin deleted the bugfix/update-readme branch August 29, 2023 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@vtatarin @CLAassistant @fridgepoet