Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloud connectors role chaining #2960

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

cloud connectors role chaining #2960

wants to merge 10 commits into from

Conversation

moukoublen
Copy link
Member

@moukoublen moukoublen commented Jan 29, 2025
edited
Loading

Summary of your changes

Screenshot/Data

Related Issues

Fixes: #2556

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary README/documentation (if appropriate)

Introducing a new rule?

@elastic elastic deleted a comment from mergify bot Jan 29, 2025
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 34d5f72 to e52824d Compare January 30, 2025 11:25
@moukoublen moukoublen marked this pull request as ready for review January 30, 2025 13:00
@moukoublen moukoublen requested a review from a team as a code owner January 30, 2025 13:00
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 540de53 to 54ed5af Compare February 3, 2025 10:36
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 54ed5af to a3154bf Compare February 11, 2025 08:04
olegsu
olegsu reviewed Feb 11, 2025
View reviewed changes
internal/resources/providers/awslib/config.go Outdated

const defaultDuration = 5 * time.Minute

// Chain Part 1 - Elastic Super Role Local
Copy link
Contributor

@olegsu olegsu Feb 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super role is misleading term, indicate that the role permissions are elevated when it only should be allowed to assume the global role

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is something to discuss in RFC level, wdyt?

olegsu
olegsu reviewed Feb 11, 2025
View reviewed changes
internal/resources/providers/awslib/config.go Outdated
)
localSuperRoleCredentialsCache := aws.NewCredentialsCache(localSuperRoleProvider)

// Chain Part 2 - Elastic Super Role Global
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super role is misleading term, indicate that the role permissions are elevated when we need only audit (SecurityAudit built-in AWS)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The global super role has not the audit policy, it has no policy part from the "assume anything". Feel free to refer RFC regarding the terminology.

olegsu
olegsu reviewed Feb 11, 2025
View reviewed changes
internal/resources/providers/awslib/config.go Outdated
)
globalSuperRoleCredentialsCache := aws.NewCredentialsCache(globalSuperRoleProvider)

// Chain Part 3 - Elastic Super Role Local
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Chain Part 3 - Elastic Super Role Local
// Chain Part 3 - Elastic Remote SecurityAudit

@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch 3 times, most recently from 5c25106 to 3aaf8c5 Compare February 12, 2025 16:57
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 40235b0 to bb35e87 Compare February 18, 2025 09:27
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from bb35e87 to eea5b40 Compare February 18, 2025 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olegsu olegsu olegsu left review comments

@kubasobon kubasobon kubasobon approved these changes

Assignees

@moukoublen moukoublen

Labels
backport-skip
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Cloud Connectors] Configuration and Flow
3 participants
@moukoublen @kubasobon @olegsu