Conditionals of the following format are not captured by the tool when Federated principals in `role-trusts-federated`

Question

Conditionals of the following format are not captured by the tool when Federated principals in `role-trusts-federated`

Closed this issue 4 months ago · 1 comments

Description of Bug

Conditionals of the following format are not captured by the tool when Federated principals in role-trusts-federated.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::012345678912:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/SOMEID"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-west-2.amazonaws.com/id/SOMEID:sub": [
                        "system:serviceaccount:some-system:some-controller",
                        "system:serviceaccount:myoperator-system:myoperator-controller-manager"
                    ]
                }
            }
        }
    ]
}

What should the expected behavior be

The tool should capture both.

Answer 1 · 2024-03-08T14:03:46.000Z

Thanks for this bug report @viveksupe. I think I have fixed this in the seth-dev branch. I'm going to either merge it to main or maybe work on adding some other logic for terrraform cloud first before the PR to main. Either way, if you want to test it out and let me know if it works, please do!