Handle 3rd-party identities in IAM correctly

[wvanderdeijl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

% terraform -v
Terraform v0.13.5

google-beta v3.48.0

Affected Resource(s)

• google_service_account_iam_member

Terraform Configuration Files

terraform {
  required_providers {
    google = {
      source = "hashicorp/google-beta"
    }
  }
}

provider "google" {
  project     = "eurotransplant-dummya"
  region      = "europe-west1"
}

resource "google_iam_workload_identity_pool" "example" {
  workload_identity_pool_id = "example-pool"
}

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
}

resource "google_service_account_iam_member" "impersonate" {
  service_account_id = google_service_account.sa.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.example.name}/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdarole"
}

Debug Output

https://gist.github.com/wvanderdeijl/8095c9f208e362db2d8b8ba031512535

Expected Behavior

The role roles/iam.workloadIdentityUser on the service account should have been granted to the principalSet (an identity provided by the new Google Workload Identity Federation feature).

Actual Behavior

Error: Error applying IAM policy for service account 
'projects/cosmic-adapter-296112/serviceAccounts/my-service-account@cosmic-adapter-296112.iam.gserviceaccount.com': 
Error setting IAM policy for service account 
'projects/cosmic-adapter-296112/serviceAccounts/my-service-account@cosmic-adapter-296112.iam.gserviceaccount.com':
googleapi: Error 400: The member
principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadidentitypools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdarole
is of an unknown type. Please set a valid type prefix for the member., badRequest

createIamBindingsMap in google/iam.go seems to split a member in its "type" (the part before :) and the "value". It then converts the value to lowercase. See https://github.com/hashicorp/terraform-provider-google/blob/master/google/iam.go#L232

This converts my request to add
principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadIdentityPools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdaRole
into
principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadidentitypools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdarole

This then throws a 400 when applying as the value of a principalSet is case sensitive.

The key element is workloadIdentityPools being transformed to workloadidentitypools, although the transformation from lambdaRole to lambdarole will not lead to a deployment issue it will lead to a runtime issue as the AWS lambaRole will not be granted access.

Steps to Reproduce

1. terraform apply

Important Factoids

I can use the gcloud cli to demonstrate that the principalSet value is case sensitive:

% gcloud iam service-accounts add-iam-policy-binding my-service-account@cosmic-adapter-296112.iam.gserviceaccount.com \
    --project cosmic-adapter-296112 \
    --role roles/iam.workloadIdentityUser \
    --member "principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadidentitypools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdarole"

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: The member principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadidentitypools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdarole is of an unknown type. Please set a valid type prefix for the member.

% gcloud iam service-accounts add-iam-policy-binding my-service-account@cosmic-adapter-296112.iam.gserviceaccount.com \
    --project cosmic-adapter-296112 \
    --role roles/iam.workloadIdentityUser \
    --member "principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadIdentityPools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdaRole"

Updated IAM policy for serviceAccount [my-service-account@cosmic-adapter-296112.iam.gserviceaccount.com].
bindings:
- members:
  - principalSet://iam.googleapis.com/projects/1066737951711/locations/global/workloadIdentityPools/example-pool/attribute.aws_role/arn:aws:sts::999999999999:assumed-role/some-eu-central-1-lambdaRole
  role: roles/iam.workloadIdentityUser
etag: BwW0dRngveE=
version: 1

References

Documentation on Workload Identity Federation from AWS including service account impersonation: https://cloud.google.com/iam/docs/access-resources-aws

There have been more issues and PR's which led to the introduction of case-insensitivity and thus lowercasing the value:

• make iam members case insensitive GoogleCloudPlatform/magic-modules#1957
• google_folder_iam_binding username capitilization issue causing change loop #3880
• Applying IAM policy failed with "Request contains an invalid argument., badRequest" error #4276
• b/181980541

[edwardmedia]

This appears to be a legit case

[wvanderdeijl]

I have been working on a number of PR’s over the last couple of weeks to introduce Workload Identity Federation resources and datasources to magic modules/terraform. Now that those are merged we were looking forward to using them in our stack, but we now run into this showstopper that we cannot use the federated identities 😢

Fixing this last issue myself will be a real challenge as I have very limited Go experience. @rileykarson is this something you guys will fix or would you otherwise have some guidance where and how I should fix this, so I can attempt a PR

[rileykarson]

I intend to get to this! It's taken a little longer to find the time than I expected, though.

[wvanderdeijl]

@rileykarson I don’t want to be a PITA, but is there anything we can do to help? This issue is preventing us to roll our workload identity federation, which is a great new feature.

[rileykarson]

I had the start of a solution to this which corrected createIamBindingsMap but calling strings.ToLower throughout our IAM resources is fairly pervasive. It's going to be a more involved fix than originally anticipated.

I've relabelled using the persistent-bug label which means we'll treat this like an enhancement, triaging and assigning this to a sprint.

[stuagano]

also ran into

[ghost]

Are there any workarounds for this (which don't involve null resources with local-exec of "gcloud iam ...")?

[rileykarson]

None I'm aware of, the issue is within the resource code so there are no user-side workarounds until we can make a provider fix.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!