aws-controllers-k8s/community

Assume Role Policy perpetual diff

uia3es opened this issue · 0 comments

uia3es commented

Describe the bug
Creating an IAM role with a conditional assume role policy can result in a perpetual diff based on the order within the conditions. For example we have a role defined like so:
apiVersion: iam.services.k8s.aws/v1alpha1 kind: Role metadata: name: service namespace: services annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<redacted>:role/dev-service spec: assumeRolePolicyDocument: >- {"Version":"2012-10-17","Statement":[{"Sid":"AssumeRolePolicy","Effect":"Allow","Principal":{"Federated":"arn:aws:iam::<redacted>:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/<redacted>"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:sub":"system:serviceaccount:services:dev-service","oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:aud":"sts.amazonaws.com"}}}]} name: dev-service inlinePolicies: {} policies: - arn:aws:iam::<redacted>:policy/dev-service

This yields a perpetual diff of:
2024-08-22T09:45:34.405Z INFO ackrt desired resource state has changed {"account": "<redacted>", "role": "", "region": "eu-west-1", "kind": "Role", "namespace": "services", "name": "dev-service", "is_adopted": false, "generation": 5, "diff": [{"Path":{"Parts":["Spec","AssumeRolePolicyDocument"]},"A":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AssumeRolePolicy\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::<redacted>:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/<redacted>\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:sub\":\"system:serviceaccount:services:dev-service\",\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:aud\":\"sts.amazonaws.com\"}}}]}","B":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AssumeRolePolicy\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::<redacted>:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/<redacted>\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:aud\":\"sts.amazonaws.com\",\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:sub\":\"system:serviceaccount:services:dev-service\"}}}]}"}]}

If you reverse the conditions in the config:
"Condition":{"StringEquals":{"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:aud":"sts.amazonaws.com","oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:sub":"system:serviceaccount:services:dev-service"}}

Then the perpetual diff will persist, but wanting to change the order back the other way:

2024-08-22T09:47:32.386Z INFO ackrt desired resource state has changed {"account": "<redacted>", "role": "", "region": "eu-west-1", "kind": "Role", "namespace": "services", "name": "dev-service", "is_adopted": false, "generation": 8, "diff": [{"Path":{"Parts":["Spec","AssumeRolePolicyDocument"]},"A":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AssumeRolePolicy\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::<redacted>:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/<redacted>\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:aud\":\"sts.amazonaws.com\",\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:sub\":\"system:serviceaccount:services:dev-service\"}}}]}","B":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AssumeRolePolicy\",\"Effect\":\"Allow\",\"Principal\":{\"Federated\":\"arn:aws:iam::<redacted>:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/<redacted>\"},\"Action\":\"sts:AssumeRoleWithWebIdentity\",\"Condition\":{\"StringEquals\":{\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:sub\":\"system:serviceaccount:services:dev-service\",\"oidc.eks.eu-west-1.amazonaws.com/id/<redacted>:aud\":\"sts.amazonaws.com\"}}}]}"}]}

No win scenario.

Steps to reproduce
Create an IAM role including a conditional assume role policy with multiple StringEquals conditions
Expected outcome
Ideally it wouldn't mind the order as long as the content was the same, but even if it was opinionated about the order but in a consistent and predictable manner that would work.

Environment

  • Kubernetes version: 1.30
  • Using EKS: Yes. v1.30.0-eks-036c24b
  • AWS service targeted: IAM
  • ACK version: from iam-chart-1.2.3