[arvados] created: 2.6.0-138-gc342e37e4
git repository hosting
git at public.arvados.org
Tue May 9 15:04:17 UTC 2023
at c342e37e4fd4925926b6dd03d116da96c1c5fba3 (commit)
commit c342e37e4fd4925926b6dd03d116da96c1c5fba3
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue May 9 12:03:24 2023 -0300
20489: Fixes privileges escalation issue on installer's terraform code.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index 7ec3b954e..68ffaf42d 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -82,7 +82,6 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
Statement: [{
Effect: "Allow",
Action: [
- "iam:PassRole",
"ec2:DescribeKeyPairs",
"ec2:ImportKeyPair",
"ec2:RunInstances",
@@ -91,6 +90,13 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
"ec2:TerminateInstances"
],
Resource: "*"
+ },
+ {
+ Effect: "Allow",
+ Action: [
+ "iam:PassRole",
+ ],
+ Resource: "arn:aws:iam::*:role/${aws_iam_instance_profile.keepstore_instance_profile.name}"
}]
})
}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list