Giters

aws-containers / amazon-ecs-exec-checker

🚀 Pre-flight checks for ECS Exec

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Script fails with IAM role name with nested multiple paths

toricls opened this issue · comments

commented

This issue is a follow-up for the PR #10 - "Fix script execution when used by assumed roles from SSO".

The PR above implemented a support for assumed IAM roles without slash in the role name part (e.g. arn:aws:sts::123456789012:assumed-role/Role-Name-Without-Slash/JaneDoe), the script still fails with role names with slash(es) (e.g. arn:aws:sts::123456789012:assumed-role/This-Role-Has/Multiple-Paths/In-Role-Name/JaneDoe).

This issue aims to implement a support for IAM roles which have nested multiple paths in their role name. See the following as typical examples.

commented

As a reference and an example, the IAM identifiers could have one of the following formats:

arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/JohnDoe
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/JaneDoe
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/RDSAccess
arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer
arn:aws:iam::123456789012:role/service-role/QuickSightAction
arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/JohnDoe
arn:aws:sts::123456789012:assumed-role/Accounting-Role/JaneDoe
arn:aws:iam::123456789012:mfa/JaneDoeMFA
arn:aws:iam::123456789012:u2f/user/JohnDoe/default (U2F security key)
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/ProdServerCert
arn:aws:iam::123456789012:saml-provider/ADFSProvider
arn:aws:iam::123456789012:oidc-provider/GoogleProvider

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns