Vault: auth/aws: Support binding to IAM Groups

Created on 20 Aug 2017  路  9Comments  路  Source: hashicorp/vault

Separating out from #3179

There's a use case that came up on the mailing list that would be solved by supporting binding to IAM groups in the AWS auth backend.

Here's my current thinking and open questions about what the "right" behavior would be:

When binding a role to an IAM group:

  • Enforce AWS unique ID resolution to make the rest of the code simpler (it really only exists for backwards compatibility with the existing types due to some shortsightedness on my part)
  • Call iam:GetGroup to look up the unique ID of the group and store the group unique ID

When logging in:

  • Go through normal process of authenticating the user
  • When authorizing, if we detect that the bound IAM principal is a group, then:

    • Ensure the authenticated principal is a user (since groups can only contain users)

    • Call iam:ListGroupsForUser (and paginate through the results) to see if the authenticated user is a member of the bound group

    • Matching should be done based on the unique ID of the group -- iam:ListGroupsForUser contains the group ID for each group the user is a member of

  • Wildcard matching -- how to handle (once #3213 is merged)?

    • One option is to simply disallow wildcards matching groups (easier)

    • The other option would be, if the authenticating user's ARN doesn't match the wild card, then to enumerate each group that user is a member of and see if it matches the wild card

    • This naive approach would be terribly inefficient, e.g., if I have a bound ARN of arn:aws:iam:::123456789012:* and the authenticating user is arn:aws:iam::987654321098:user/Joe then there could never be a match to a group (since AWS doesn't allow cross-account group membership)

    • Maybe a more efficient option would be to look up group membership iff the bound IAM principal ARN starts with arn:aws:iam::<authenticated principal's account ID>:group and contains a wildcard at the end? Would need to spend more time thinking this through.

When renewing tokens:

  • Don't check to ensure that the authenticated user is still a member of the bound group (similar to the declared behavior of the LDAP auth backend)
  • What's the right behavior when the bound IAM principal has changed?

    • One option is to simply refuse to renew

    • Another option would be to see if the authenticated user still matches the bound IAM principal. This could involve looking up group memberships anew (which we wouldn't be doing under normal circumstances)

The biggest thing stopping me from implementing this today is testability because this now introduces even more interactions with AWS APIs, and in more complicated places. I just don't think this (IAM group support) can be done in a maintainable way without having some real mocking of AWS APIs (something I'd guess the AWS secret backend could also benefit from). I recall that the Terraform AWS provider had some basic mocking that might prove useful here; has there been any discussion about sharing that out into a more common HashiCorp library? If not, I'll probably work on this first; a couple links for future reference.

autaws enhancement
Source
picture joelthompson
👍9

Most helpful comment

@joelthompson @jefferai This would actually make it a lot nicer from a user management perspective. We have a bunch of users that exist at the root users/ level, alongside a bunch of user-instance credentials that we don't want to allow similar access to assume roles.

Supporting Groups would allow us to not move/migrate all users over to a separate users/devs/* path to differentiate them.

picture paddie on 17 Aug 2018
👍5

All 9 comments

There hasn't been any discussion from our end, but I do encourage you to reach out to the TF devs about it if it would be useful. (I can make introductions if that would help.)

jefferai picture jefferai on 29 Aug 2017

Cool, I'd definitely love to chat with the TF folks! Maybe HashiConf?

joelthompson picture joelthompson on 29 Aug 2017

Sure, depends on what your timeline is -- if you want to get a shared framework in for 0.8.2 should probably chat ahead of then, but otherwise that would be fine.

jefferai picture jefferai on 29 Aug 2017

I don't have any timelines, and thinking a little more broadly, I also wonder if there'd be interest from the Packer and/or Nomad teams as well in something like this, and/or if they also have code that could be pulled into a shared library. Feels like HashiConf would be the perfect time to have a quick chat about this. If you could make introductions, that'd be awesome!

joelthompson picture joelthompson on 30 Aug 2017

Sure! Hit me up then and I'll find people for us to talk to.

jefferai picture jefferai on 30 Aug 2017
👍2

Hi there! Just stumbled upon this ticket while looking into using this functionality. I was wondering if there was any progress on this or any roadmap for it? Thanks!

ttacon picture ttacon on 22 Nov 2017
👍3

@joelthompson @jefferai This would actually make it a lot nicer from a user management perspective. We have a bunch of users that exist at the root users/ level, alongside a bunch of user-instance credentials that we don't want to allow similar access to assume roles.

Supporting Groups would allow us to not move/migrate all users over to a separate users/devs/* path to differentiate them.

paddie picture paddie on 17 Aug 2018
👍5

This would be magnificent

thenoid picture thenoid on 1 Apr 2019

That would be really nice if its implemented and would definitely help

ivan85viv picture ivan85viv on 14 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Wonder007 picture Wonder007  路  3Comments
lexsys27 picture lexsys27  路  3Comments
weisinc picture weisinc  路  3Comments
jasonmcintosh picture jasonmcintosh  路  3Comments
andris9 picture andris9  路  3Comments