Conditionals of the following format are not captured by the tool when Federated principals in `role-trusts-federated`
Closed this issue · 1 comments
viveksupe commented
Description of Bug
Conditionals of the following format are not captured by the tool when Federated principals in role-trusts-federated
.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::012345678912:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/SOMEID"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-2.amazonaws.com/id/SOMEID:sub": [
"system:serviceaccount:some-system:some-controller",
"system:serviceaccount:myoperator-system:myoperator-controller-manager"
]
}
}
}
]
}
What should the expected behavior be
The tool should capture both.
sethsec-bf commented
Thanks for this bug report @viveksupe. I think I have fixed this in the seth-dev branch. I'm going to either merge it to main or maybe work on adding some other logic for terrraform cloud first before the PR to main. Either way, if you want to test it out and let me know if it works, please do!