Emit ASSUMABLE_ROLE NHI type for IAM roles (NHI Phase-1 K3)#126
Emit ASSUMABLE_ROLE NHI type for IAM roles (NHI Phase-1 K3)#126c1-squire-dev[bot] wants to merge 3 commits into
Conversation
Connector PR Review: Emit ASSUMABLE_ROLE NHI type for IAM roles (NHI Phase-1 K3)Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0 Review SummaryThis PR adds NHI (Non-Human Identity) type classification for IAM roles at sync time using the trust policy already returned by Security IssuesNone found. Correctness IssuesNone found. SuggestionsNone. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
c1-squire-dev
Bot
force-pushed
the
nhi/emit-nhi-role
branch
from
ba8b3e5 to
5dc7ee3
Compare
Implements NHI Phase-1 K3 type emission (per the NHI RFC §6 row 1); IAM roles (TRAIT_ROLE) are annotated WithNHIType(NHI_TYPE_ASSUMABLE_ROLE, detail). The trust-policy classification is parsed at sync time in List() so the type detail is set on every synced role. Detail strings follow the §2.8 convention <platform>.<object>[.<purpose>]: service-linked roles -> aws.role.service_linked; service-trusted -> aws.role.<service> (e.g. aws.role.lambda); federated -> aws.role.oidc/ saml/federated; cross-account -> aws.role.cross_account; else aws.role. Self-bumps baton-sdk -> v0.11.0 (interim; rebases after the baton-admin fleet bump). The existing AWS-principal grant path is unchanged; Service and Federated trust principals are now retained solely for classification. Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
…archived (v0.4.5) and can't resolve NonHumanIdentityTrait Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
…366) AWS service-linked roles are platform-custodied — the org doesn't control their trust policy, AWS does — so they map to NHI_TYPE_MANAGED_IDENTITY rather than ASSUMABLE_ROLE. Detected by the reserved /aws-service-role/ path or the AWSServiceRoleFor* name prefix; all other roles keep ASSUMABLE_ROLE with their existing trust-derived detail. Bumps baton-sdk to v0.11.1, which adds NHI_TYPE_MANAGED_IDENTITY=3. Co-authored-by: c1-squire-dev[bot] <c1-squire-dev[bot]@users.noreply.github.com>
c1-squire-dev
Bot
force-pushed
the
nhi/emit-nhi-role
branch
from
f5d6965 to
8c8aab3
Compare
| - name: Install baton CLI from baton-sdk (conductorone/baton is archived) | ||
| run: | | ||
| set -euxo pipefail | ||
| BATON_VERSION=v0.11.0 | ||
| OS=$(uname -s | tr '[:upper:]' '[:lower:]') | ||
| ARCH=$(uname -m) | ||
| if [ "${ARCH}" = "x86_64" ]; then ARCH="amd64"; fi | ||
| FILENAME="baton-${BATON_VERSION}-${OS}-${ARCH}.tar.gz" | ||
| curl -fsSL -O "https://github.com/conductorone/baton-sdk/releases/download/${BATON_VERSION}/${FILENAME}" | ||
| tar xzf "${FILENAME}" | ||
| mv baton /usr/local/bin/baton | ||
| baton --version |
There was a problem hiding this comment.
This is probably unnecessary. I think this was addressed by ConductorOne/github-workflows#89
2 participants
Implements NHI Phase-1 K3 type emission (per the NHI RFC §6 row 1); IAM roles (
TRAIT_ROLE) →WithNHIType(NHI_TYPE_ASSUMABLE_ROLE, detail).Per §6 this is a mod: the trust-policy classification is parsed at sync time inside
roleResourceType.List()(pkg/connector/role.go), so the NHI type + detail land on every synced role with no extra API call (ListRolesalready returnsAssumeRolePolicyDocument+Pathinline).Detail strings follow the §2.8 convention
<platform>.<object>[.<purpose>](dotted lowercase), most-specific first:/aws-service-role/) →aws.role.service_linkedaws.role.<service>(e.g.aws.role.lambda,aws.role.ec2,aws.role.ecs_tasks)aws.role.oidc/aws.role.saml/aws.role.federatedaws.role.cross_accountaws.roleThe existing AWS-principal assume-role grant path is unchanged;
Service/Federatedtrust principals (previously discarded inPrincipal.UnmarshalJSON) are now retained solely for classification.Self-bumps
baton-sdk→ v0.11.0 (interim; rebases after the baton-admin fleet bump). No protogen. Verified the shipped v0.11.0 API isWithNHIType/NonHumanIdentityTrait_NHI_TYPE_ASSUMABLE_ROLE(the RFC'sWithNHISubtypewas a stale draft name).go build ./...,go test ./..., andgolangci-lint runall pass; addedTestClassifyRoleNHIDetailcovering each branch.🛰️ Built with pqprime.