jwt:groups condition values in IAM policies?

Question

jwt:groups condition values in IAM policies?

rvIceBreaker opened this issue a month ago · comments

My apologies for perhaps misusing an GH issue for this, but I felt any responses should be accessible for the next person...

This appears to have been discussed in #11303 without any real indication of a solution

It doesn't appear that there is a way to utilize jwt:groups (or any jwt:... array variable) as a condition value to, for example, match a bucket prefix against OIDC supplied group name(s) like so

{
    "Effect": "Allow",
    "Action": [
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::testbucket1"
    ],
    "Condition": {
        "StringLike": {
            "s3:delimiter": [
                "/"
            ],
            "s3:prefix": [
                "${jwt:groups[0]}"
            ]
        }
    }
},

The conversation mentioned above seemed to suggest this might be possible or being looked into

Would someone be willing to definitively say if this is possible to achieve, or will ever be a supported feature?

edit:

As an additional example, the following also does not substitute variables and I think it would be a nice feature to do so

"Resource": [
    "arn:aws:s3:::testbucket1/${jwt:groups[0]}/*"
]

rvIceBreaker · Answer 1 · Sat Apr 27 2024 03:30:44 GMT+0800 (China Standard Time)

So it appears that I'm slightly incorrect, ${jwt:groups} does substitute the variable, but only with the first element when its an array of values; at least in terms of what my policy and requests authorize in testing.

...
{
    "Effect": "Allow",
    "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"
    ],
    "Resource": [
        "arn:aws:s3:::testbucket1/${jwt:groups}",
        "arn:aws:s3:::testbucket1/${jwt:groups}/*"
    ]
}
...

There doesn't seem to be any way to index them individually.

Harshavardhana · Answer 2 · Sat Apr 27 2024 03:54:22 GMT+0800 (China Standard Time)

Right now, we need cycles to take this up @rvIceBreaker. I suggest pushing our roadmaps by becoming a customer if you have a production requirement.

However, this is not a priority and will be addressed later if and when we find some time.

Harshavardhana · Answer 3 · Sat Apr 27 2024 03:57:29 GMT+0800 (China Standard Time)

You can use jwt:groups as part of the ForAnyValue or ForAllValues conditionals. However, these are not supported in the resources and will only use the first element.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-logic-multiple-context-keys-or-values.html

rvIceBreaker · Answer 4 · Sat Apr 27 2024 04:19:06 GMT+0800 (China Standard Time)

@harshavardhana I appreciate the response, this information isn't really clearly stated anywhere so hopefully this thread can save someone else some time.

As far as I can tell using ForAnyValues/ForAllValues on s3:ListBucket->s3:prefix also only matches against the first element.

//s3:ListBucket statement
"Condition": {
    "ForAllValues:StringLike": {
        "s3:prefix": [
            "${jwt:groups}",
            "${jwt:groups}/*"
        ]
    }
}
//s3:GetObject statement
"Resource": [
    "arn:aws:s3:::testbucket1/*"
]

In my testing, the above effectively only allows listing from the first element in ${jwt:groups}, though I can GetObject on a known object path that differs.