Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloud connectors role chaining #2960

Merged
merged 10 commits into from
Mar 4, 2025
Merged

cloud connectors role chaining #2960

merged 10 commits into from
Mar 4, 2025

Conversation

moukoublen
Copy link
Member

@moukoublen moukoublen commented Jan 29, 2025
edited
Loading

Summary of your changes

Screenshot/Data

Related Issues

Fixes: #2556

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary README/documentation (if appropriate)

Introducing a new rule?

@elastic elastic deleted a comment from mergify bot Jan 29, 2025
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 34d5f72 to e52824d Compare January 30, 2025 11:25
@moukoublen moukoublen marked this pull request as ready for review January 30, 2025 13:00
@moukoublen moukoublen requested a review from a team as a code owner January 30, 2025 13:00
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 540de53 to 54ed5af Compare February 3, 2025 10:36
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from 54ed5af to a3154bf Compare February 11, 2025 08:04
olegsu
olegsu reviewed Feb 11, 2025
View reviewed changes
internal/resources/providers/awslib/config.go Outdated

const defaultDuration = 5 * time.Minute

// Chain Part 1 - Elastic Super Role Local
Copy link
Contributor

@olegsu olegsu Feb 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super role is misleading term, indicate that the role permissions are elevated when it only should be allowed to assume the global role

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is something to discuss in RFC level, wdyt?

olegsu
olegsu reviewed Feb 11, 2025
View reviewed changes
internal/resources/providers/awslib/config.go Outdated
)
localSuperRoleCredentialsCache := aws.NewCredentialsCache(localSuperRoleProvider)

// Chain Part 2 - Elastic Super Role Global
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Super role is misleading term, indicate that the role permissions are elevated when we need only audit (SecurityAudit built-in AWS)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The global super role has not the audit policy, it has no policy part from the "assume anything". Feel free to refer RFC regarding the terminology.

olegsu
olegsu reviewed Feb 11, 2025
View reviewed changes
internal/resources/providers/awslib/config.go Outdated
)
globalSuperRoleCredentialsCache := aws.NewCredentialsCache(globalSuperRoleProvider)

// Chain Part 3 - Elastic Super Role Local
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Chain Part 3 - Elastic Super Role Local
// Chain Part 3 - Elastic Remote SecurityAudit

@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch 5 times, most recently from bb35e87 to eea5b40 Compare February 18, 2025 13:06
@moukoublen moukoublen force-pushed the cloud_connectors_chaining branch from eea5b40 to e5d0918 Compare March 4, 2025 14:54
@moukoublen moukoublen merged commit 5eea2c3 into elastic:main Mar 4, 2025
9 checks passed
@moukoublen moukoublen deleted the cloud_connectors_chaining branch March 4, 2025 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olegsu olegsu olegsu left review comments

@kubasobon kubasobon kubasobon approved these changes

Assignees

@moukoublen moukoublen

Labels
backport-skip
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Cloud Connectors] Configuration and Flow
3 participants
@moukoublen @kubasobon @olegsu