iambic icon indicating copy to clipboard operation
iambic copied to clipboard
verified publisher icon noqdev

IAMbic plan fails for multi account yamls

Open Ascend1984 opened this issue 2 years ago • 5 comments

Describe the bug I'm evaluating this tool for some time, but had a other things to do for some time. Getting back i upgraded IAMbic from Version ~0.11.59 to 0.11.86. After i executed an "iambic import" on my configuration, the "iambic plan" command produces errors for some yaml file. At the end this results to an empty "proposed_changes.json" which can not be rendered to console and throws an exception.

Yamls producing errors are for a managed policy and users. From what i see in the console output, IAMbic is trying to detect changes and fails. But the error in that step is not thrown or printed anywhere. So i looked at my files and these are my findings:

  • The "iambic import" adds an entry called "credentials" to properties (which is not documented here but not responsible for the error)
  • Part of the "credentials" block are informations about access_keys (which is why i can't and will not post my yamls) and password. Both blocks with information about "enabled" status and last usage.
  • The "credentials" block itself is not the issue here, because i also have user yamls that also contain this block but do not produce the error
  • The main difference between the erroneous yamls and the working ones is, that they belong to users residing in multiple accounts.
  • So my conclusion here is, that the issue lies with the "include_accounts" or "exclude_accounts" (exclude being used at the erroneous policy document) starting the entries for "credentials"
...
properties:
  credentials:
    - include_accounts:
        - Account X
     access_keys:
       - enabled: true
         id: XXXXXXXXXXXXXXXXXXX
         last_used: '2023-10-20'
    password:
      enabled: true
      last_used: Never
...
  • As for my erroneous managed policy, i think it is the same issue because in its policy_document block there are also exclude_accounts and include_accounts statements.
template_type: NOQ::AWS::IAM::ManagedPolicy
template_schema_url: https://docs.iambic.org/reference/schemas/aws_iam_managed_policy_template
included_accounts:
  - Account X
  - Account Y
identifier: GreengrassV2TokenExchangeRoleAccess
properties:
  policy_document:
    - excluded_accounts:
        - Account Y
      statement:
        - action:
            - iot:Connect
            - iot:DescribeCertificate
            - iot:Publish
            - iot:Receive
            - iot:Subscribe
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogStreams
            - logs:PutLogEvents
            - s3:GetBucketLocation
          effect: Allow
          resource: '*'
      version: '2012-10-17'
    - included_accounts:
        - Account Y
      statement:
        - action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogStreams
            - logs:PutLogEvents
            - s3:GetBucketLocation
          effect: Allow
          resource: '*'
      version: '2012-10-17'
  policy_name: GreengrassV2TokenExchangeRoleAccess

To Reproduce Steps to reproduce the behavior:

  1. Look for a policy or user yaml
  2. Add "include_accounts"
    1. before credentials entry (like shown above) for user yaml
    2. before policy_document entry for policy yaml
  3. Execute "iambic plan" on prepared yaml
  4. See error

Expected behavior IAMbic plan step does not produce an error for these types of yamls and respects the include and exclude statements (if this is intended in that way)

Desktop (please complete the following information):

  • OS: Windows
  • Python 3.11.5
  • IAMbic 0.11.86 (after pip install iambic-core --upgrade)

Additional context Upgraded IAMbic from version 0.11.59 (or 56, can't remember ^^) to 0.11.86. Had no issues with the old version, so this is either a change to iambic that was introduced between those versions or some other changes on the AWS side?

Community Engagement Your vote counts! Please support this bug report by adding a 👍 reaction to the original issue, which will aid the community and maintainers in addressing this problem.

Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.

Ascend1984 avatar Oct 20 '23 07:10 Ascend1984

Hi @Ascend1984, thanks for reporting the bug. Have you already tried removing the "resources" directory in the template and do a fresh import?

There were some exclude directive fixes. Before the fix, the usage for exclude shouldn't be generated from initial import command.

smoy avatar Oct 21 '23 14:10 smoy

Hello @smoy, thanks for your reply.

I did the complete re-import of my accounts, but i still get the same error or at least for the same YAML files (because command still just ends in a NotRenderableError('Unable to render None; A str, Segment or object with rich_console method is required') )

So i compared some of the YAMLs with the "older" ones, and yeah the previous exclude is gone. But everything else is still the same. Also when deleting the credentials block, the iambic plan does work.

Also the erroneous policy i also still not working with iambic plan:

template_type: NOQ::AWS::IAM::ManagedPolicy
template_schema_url: https://docs.iambic.org/reference/schemas/aws_iam_managed_policy_template
included_accounts:
  - Account A
  - Account B
  - Account C
identifier: GreengrassV2TokenExchangeRoleAccess
properties:
  policy_document:
    - included_accounts:
        - Account A
        - Account B
      statement:
        - action:
            - iot:Connect
            - iot:DescribeCertificate
            - iot:Publish
            - iot:Receive
            - iot:Subscribe
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogStreams
            - logs:PutLogEvents
            - s3:GetBucketLocation
          effect: Allow
          resource: '*'
      version: '2012-10-17'
    - included_accounts:
        - Account C
      statement:
        - action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogStreams
            - logs:PutLogEvents
            - s3:GetBucketLocation
          effect: Allow
          resource: '*'
      version: '2012-10-17'
  policy_name: GreengrassV2TokenExchangeRoleAccess

Ascend1984 avatar Oct 23 '23 07:10 Ascend1984

Thank you fro the follow up. I will investigate the credential block issue (it was designed to be launched as a informational, investigation detail). it's safe to disable to move pass this issue.

in your IAMbic config.yaml (possibly in your config folder), under the aws block, add

enable_iam_user_credentials: False should disable that functionality at the moment.

reference: https://github.com/noqdev/iambic/blob/7d2f834fa50826815c848716b044a96f15e4aa78/iambic/plugins/v0_1_0/aws/iambic_plugin.py#L79

I will try to reproduce that policy locally. your initial report mention you on Windows. is it possible for you to try this under WSL2? We suppress some signal handler in Windows (since some only exist in Linux-like systems). I am wondering if that is contributing to stack trace masking.

smoy avatar Oct 24 '23 15:10 smoy

I had a lot to do these past days and will be on vacation next week, so i will out for a few days.

For the WSL2 part im not sure. I need to look if its possible on my work laptop (where i made the evaluation).

I will get back to this when i return in a few days.

Ascend1984 avatar Oct 27 '23 09:10 Ascend1984

Sorry to get back to you so late, a busy end of the year ^^

Sadly there is no way to use WSL2 at the moment :( so i cannot provide any further insight to the stack trace masking.

Ascend1984 avatar Dec 08 '23 12:12 Ascend1984