We used a simulator to check whether a policy has the permission to perform specific actions on specific ELB resources. The simulator returned implicitDeny
instead of allowed
. This result is erroneous, because the actions and the resources in the policy document were the same as the parameters of the simulator. To test this, we attached the policy to a role and used this role to perform the actions on the resources in a live AWS environment, and we were successful.
We will now attempt to reproduce this error as minimally as possible.
Both the AWS SDK for Python (a.k.a. boto3
)
import boto3
policy_input_list = [
"""{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
]
}
]
}"""
]
action_names = ["elasticloadbalancing:AddTags"]
resource_arns = ["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"]
boto3.client("iam").simulate_custom_policy(
PolicyInputList=policy_input_list,
ActionNames=action_names,
ResourceArns=resource_arns,
)
and the AWS CLI
policy_input_list='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["elasticloadbalancing:AddTags"],"Resource":["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"]}]}'
action_names='elasticloadbalancing:AddTags'
resource_arns='arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*'
aws iam simulate-custom-policy \
--policy-input-list $policy_input_list \
--action-names $action_names \
--resource-arns $resource_arns
erroneously evaluate this to implicitDeny
.
Interestingly, the IAM Policy Simulator
IAM Policy Simulator
correctly evaluates this to allowed
.
The problematic statement
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
}
originates from the policy document of the AWS Load Balancer Controller (https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). Any combination of these actions and resources (and only them) will be evaluated correctly by the IAM Policy Simulator, but incorrectly by boto3
and the AWS CLI.
Note that we are using the latest versions of boto3
(v1.27.72
) and the AWS CLI (v1.27.72
).