Malformed role causes panic
preflightsiren opened this issue · comments
We observed an issue with KIAM 4.2 today in our engineering environment when someone manually edited the IAM role for a deployment and pasted in a malformed ARN (incorrect number of :'s)
I've attached a quick test to help prove the error, and I have a branch locally with a reasonable fix IMO.
pkg/aws/sts/arn_resolver_test.go
func TestMalformedInstanceArn(t *testing.T) {
defer func() {
r := recover()
if (r != nil) {
t.Errorf("Unexpected panic from resolver.Resolve()")
}
}()
resolver := DefaultResolver("arn:aws:iam::account-id:role/")
_, _ = resolver.Resolve("arn:aws:iam:account-id:role/my-role")
}
❯ go test ./pkg/aws/sts -race
--- FAIL: TestMalformedInstanceArn (0.00s)
arn_resolver_test.go:115: Unexpected panic from resolver.Resolve()
time="2022-10-25T13:35:23+11:00" level=info msg="requested new credentials" credentials.access.key= credentials.expiration= credentials.role="arn:account:role"
time="2022-10-25T13:35:23+11:00" level=info msg="requested new credentials" credentials.access.key= credentials.expiration= credentials.role="arn:account:role" credentials.session-name=testing
time="2022-10-25T13:35:23+11:00" level=info msg="requested new credentials" credentials.access.key= credentials.expiration= credentials.role="arn:account:role" credentials.session-name="testing@#&-test%"
time="2022-10-25T13:35:23+11:00" level=info msg="requested new credentials" credentials.access.key= credentials.expiration= credentials.role="arn:account:role" credentials.session-name=****
time="2022-10-25T13:35:23+11:00" level=info msg="requested new credentials" credentials.access.key= credentials.expiration= credentials.external-id="******" credentials.role="arn:account:role"
FAIL
FAIL github.com/uswitch/kiam/pkg/aws/sts 2.347s
FAIL
Given the high liklihood of user error, and the high impact (panic), I would hope we can merge and release a patch version,