Got resource mismatch for a valid definition
schosterbarak opened this issue · comments
input:
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
actions = [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
]
resources = [
"arn:aws:s3:::*",
]
}
statement {
actions = [
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::${var.s3_bucket_name}",
]
condition {
test = "StringLike"
variable = "s3:prefix"
values = [
"",
"home/",
"home/&{aws:username}/",
]
}
}
statement {
actions = [
"s3:*",
]
resources = [
"arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}",
"arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*",
]
}
}
resource "aws_iam_policy" "example" {
name = "example_policy"
path = "/"
policy = "${data.aws_iam_policy_document.example.json}"
}
output:
RESOURCE_MISMATCH
Details:
action: s3:ListAllMyBuckets, required_format: *
Location:
{'actions': ['s3:ListAllMyBuckets', 's3:GetBucketLocation'], 'filepath': None}
RESOURCE_MISMATCH
Details:
action: s3:CreateBucket, required_format: arn:*:s3:::*
action: s3:CreateJob, required_format: *
action: s3:DeleteBucket, required_format: arn:*:s3:::*
action: s3:DeleteBucketPolicy, required_format: arn:*:s3:::*
action: s3:DeleteBucketWebsite, required_format: arn:*:s3:::*
action: s3:GetAccelerateConfiguration, required_format: arn:*:s3:::*
action: s3:GetAccessPoint, required_format: *
action: s3:GetAccountPublicAccessBlock, required_format: *
action: s3:GetAnalyticsConfiguration, required_format: arn:*:s3:::*
action: s3:GetBucketAcl, required_format: arn:*:s3:::*
action: s3:GetBucketCORS, required_format: arn:*:s3:::*
action: s3:GetBucketLocation, required_format: arn:*:s3:::*
action: s3:GetBucketLogging, required_format: arn:*:s3:::*
action: s3:GetBucketNotification, required_format: arn:*:s3:::*
action: s3:GetBucketObjectLockConfiguration, required_format: arn:*:s3:::*
action: s3:GetBucketPolicy, required_format: arn:*:s3:::*
action: s3:GetBucketPolicyStatus, required_format: arn:*:s3:::*
action: s3:GetBucketPublicAccessBlock, required_format: arn:*:s3:::*
action: s3:GetBucketRequestPayment, required_format: arn:*:s3:::*
action: s3:GetBucketTagging, required_format: arn:*:s3:::*
action: s3:GetBucketVersioning, required_format: arn:*:s3:::*
action: s3:GetBucketWebsite, required_format: arn:*:s3:::*
action: s3:GetEncryptionConfiguration, required_format: arn:*:s3:::*
action: s3:GetInventoryConfiguration, required_format: arn:*:s3:::*
action: s3:GetLifecycleConfiguration, required_format: arn:*:s3:::*
action: s3:GetMetricsConfiguration, required_format: arn:*:s3:::*
action: s3:GetReplicationConfiguration, required_format: arn:*:s3:::*
action: s3:ListAccessPoints, required_format: *
action: s3:ListAllMyBuckets, required_format: *
action: s3:ListBucket, required_format: arn:*:s3:::*
action: s3:ListBucketMultipartUploads, required_format: arn:*:s3:::*
action: s3:ListBucketVersions, required_format: arn:*:s3:::*
action: s3:ListJobs, required_format: *
action: s3:PutAccelerateConfiguration, required_format: arn:*:s3:::*
action: s3:PutAccountPublicAccessBlock, required_format: *
action: s3:PutAnalyticsConfiguration, required_format: arn:*:s3:::*
action: s3:PutBucketAcl, required_format: arn:*:s3:::*
action: s3:PutBucketCORS, required_format: arn:*:s3:::*
action: s3:PutBucketLogging, required_format: arn:*:s3:::*
action: s3:PutBucketNotification, required_format: arn:*:s3:::*
action: s3:PutBucketObjectLockConfiguration, required_format: arn:*:s3:::*
action: s3:PutBucketPolicy, required_format: arn:*:s3:::*
action: s3:PutBucketPublicAccessBlock, required_format: arn:*:s3:::*
action: s3:PutBucketRequestPayment, required_format: arn:*:s3:::*
action: s3:PutBucketTagging, required_format: arn:*:s3:::*
action: s3:PutBucketVersioning, required_format: arn:*:s3:::*
action: s3:PutBucketWebsite, required_format: arn:*:s3:::*
action: s3:PutEncryptionConfiguration, required_format: arn:*:s3:::*
action: s3:PutInventoryConfiguration, required_format: arn:*:s3:::*
action: s3:PutLifecycleConfiguration, required_format: arn:*:s3:::*
action: s3:PutMetricsConfiguration, required_format: arn:*:s3:::*
action: s3:PutReplicationConfiguration, required_format: arn:*:s3:::*
Location:
{'actions': ['s3:*'], 'filepath': None}
Ah yes I'm getting the same thing, we'll have to go upstream to parliament ...
https://github.com/duo-labs/parliament
ACTUALLY - I think the reason is some s3: actions apply to buckets, and some to objects; strictly speaking they should be split up
Yes that's it .... so you can't use like Get*
Makes sense if your IAM policies are to be minimum privilege I guess
I've updated the Readme with a note:
You will receive RESOURCE_MISMATCH if you have a policy with action Get* and resource ending in /* (referring to objects in a bucket), since s3:Get* includes some permissions which are bucket-level, not object-level. I have tried allowing you to ignore this by implementing config override per Parliament doco, and calling parliament.override_config(), to no avail