Got resource mismatch for a valid definition

Question

Got resource mismatch for a valid definition

schosterbarak opened this issue 5 years ago · comments

Barak Schoster Goihman commented 5 years ago

input:

data "aws_iam_policy_document" "example" {
  statement {
    sid = "1"

    actions = [
      "s3:ListAllMyBuckets",
      "s3:GetBucketLocation",
    ]

    resources = [
      "arn:aws:s3:::*",
    ]
  }

  statement {
    actions = [
      "s3:ListBucket",
    ]

    resources = [
      "arn:aws:s3:::${var.s3_bucket_name}",
    ]

    condition {
      test     = "StringLike"
      variable = "s3:prefix"

      values = [
        "",
        "home/",
        "home/&{aws:username}/",
      ]
    }
  }

  statement {
    actions = [
      "s3:*",
    ]

    resources = [
      "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}",
      "arn:aws:s3:::${var.s3_bucket_name}/home/&{aws:username}/*",
    ]
  }
}

resource "aws_iam_policy" "example" {
  name   = "example_policy"
  path   = "/"
  policy = "${data.aws_iam_policy_document.example.json}"
}

output:

RESOURCE_MISMATCH
Details:
  action: s3:ListAllMyBuckets, required_format: *
Location:
  {'actions': ['s3:ListAllMyBuckets', 's3:GetBucketLocation'], 'filepath': None}
RESOURCE_MISMATCH
Details:
  action: s3:CreateBucket, required_format: arn:*:s3:::*
  action: s3:CreateJob, required_format: *
  action: s3:DeleteBucket, required_format: arn:*:s3:::*
  action: s3:DeleteBucketPolicy, required_format: arn:*:s3:::*
  action: s3:DeleteBucketWebsite, required_format: arn:*:s3:::*
  action: s3:GetAccelerateConfiguration, required_format: arn:*:s3:::*
  action: s3:GetAccessPoint, required_format: *
  action: s3:GetAccountPublicAccessBlock, required_format: *
  action: s3:GetAnalyticsConfiguration, required_format: arn:*:s3:::*
  action: s3:GetBucketAcl, required_format: arn:*:s3:::*
  action: s3:GetBucketCORS, required_format: arn:*:s3:::*
  action: s3:GetBucketLocation, required_format: arn:*:s3:::*
  action: s3:GetBucketLogging, required_format: arn:*:s3:::*
  action: s3:GetBucketNotification, required_format: arn:*:s3:::*
  action: s3:GetBucketObjectLockConfiguration, required_format: arn:*:s3:::*
  action: s3:GetBucketPolicy, required_format: arn:*:s3:::*
  action: s3:GetBucketPolicyStatus, required_format: arn:*:s3:::*
  action: s3:GetBucketPublicAccessBlock, required_format: arn:*:s3:::*
  action: s3:GetBucketRequestPayment, required_format: arn:*:s3:::*
  action: s3:GetBucketTagging, required_format: arn:*:s3:::*
  action: s3:GetBucketVersioning, required_format: arn:*:s3:::*
  action: s3:GetBucketWebsite, required_format: arn:*:s3:::*
  action: s3:GetEncryptionConfiguration, required_format: arn:*:s3:::*
  action: s3:GetInventoryConfiguration, required_format: arn:*:s3:::*
  action: s3:GetLifecycleConfiguration, required_format: arn:*:s3:::*
  action: s3:GetMetricsConfiguration, required_format: arn:*:s3:::*
  action: s3:GetReplicationConfiguration, required_format: arn:*:s3:::*
  action: s3:ListAccessPoints, required_format: *
  action: s3:ListAllMyBuckets, required_format: *
  action: s3:ListBucket, required_format: arn:*:s3:::*
  action: s3:ListBucketMultipartUploads, required_format: arn:*:s3:::*
  action: s3:ListBucketVersions, required_format: arn:*:s3:::*
  action: s3:ListJobs, required_format: *
  action: s3:PutAccelerateConfiguration, required_format: arn:*:s3:::*
  action: s3:PutAccountPublicAccessBlock, required_format: *
  action: s3:PutAnalyticsConfiguration, required_format: arn:*:s3:::*
  action: s3:PutBucketAcl, required_format: arn:*:s3:::*
  action: s3:PutBucketCORS, required_format: arn:*:s3:::*
  action: s3:PutBucketLogging, required_format: arn:*:s3:::*
  action: s3:PutBucketNotification, required_format: arn:*:s3:::*
  action: s3:PutBucketObjectLockConfiguration, required_format: arn:*:s3:::*
  action: s3:PutBucketPolicy, required_format: arn:*:s3:::*
  action: s3:PutBucketPublicAccessBlock, required_format: arn:*:s3:::*
  action: s3:PutBucketRequestPayment, required_format: arn:*:s3:::*
  action: s3:PutBucketTagging, required_format: arn:*:s3:::*
  action: s3:PutBucketVersioning, required_format: arn:*:s3:::*
  action: s3:PutBucketWebsite, required_format: arn:*:s3:::*
  action: s3:PutEncryptionConfiguration, required_format: arn:*:s3:::*
  action: s3:PutInventoryConfiguration, required_format: arn:*:s3:::*
  action: s3:PutLifecycleConfiguration, required_format: arn:*:s3:::*
  action: s3:PutMetricsConfiguration, required_format: arn:*:s3:::*
  action: s3:PutReplicationConfiguration, required_format: arn:*:s3:::*
Location:
  {'actions': ['s3:*'], 'filepath': None}

Nick · Answer 1 · Thu May 21 2020 13:13:56 GMT+0800 (China Standard Time)

Ah yes I'm getting the same thing, we'll have to go upstream to parliament ...
https://github.com/duo-labs/parliament

Nick · Answer 2 · Thu May 21 2020 13:15:42 GMT+0800 (China Standard Time)

ACTUALLY - I think the reason is some s3: actions apply to buckets, and some to objects; strictly speaking they should be split up

Nick · Answer 3 · Thu May 21 2020 13:47:25 GMT+0800 (China Standard Time)

Yes that's it .... so you can't use like Get*
Makes sense if your IAM policies are to be minimum privilege I guess
I've updated the Readme with a note:

You will receive RESOURCE_MISMATCH if you have a policy with action Get* and resource ending in /* (referring to objects in a bucket), since s3:Get* includes some permissions which are bucket-level, not object-level. I have tried allowing you to ignore this by implementing config override per Parliament doco, and calling parliament.override_config(), to no avail