feat(secrets): deny-by-default resource policy on grafana + saml secrets#240
Draft
nogueiraanderson wants to merge 2 commits into
Draft
feat(secrets): deny-by-default resource policy on grafana + saml secrets#240nogueiraanderson wants to merge 2 commits into
nogueiraanderson wants to merge 2 commits into
Conversation
- Add aws_secretsmanager_secret_policy over the out-of-band, ESO-synced grafana/admin and authentik/saml/private_key secrets so only the ESO pod-identity role (plus an empty-by-default break-glass var) can GetSecretValue, cutting read blast radius off every AdministratorAccess holder (security-review finding B2). - Add var.fenced_secret_breakglass_arns (default []). - Add static CI gate test_secret_resource_policies.py asserting the fence shape (deny-by-default, ESO-only allowlist, public cert left unfenced, authentik/config fence preserved). - Move the live access audits into tests/integration/ with just recipes (audit-secret-access, audit-argocd-rbac); grafana/admin tracked as a strict-xfail until apply flips it to fenced.
- Reject a bare "*" in var.fenced_secret_breakglass_arns (would disable the deny by matching every principal). - Live audit: catch ResourceNotFoundException in _resource_policy; IAM-style wildcard match for GetSecretValue-covering actions; assert the fenced allowlist is exactly the in-account ESO role (no wildcard) plus the full deny-by-default statement shape. - Static gate: scope assertions to the fenced_secrets map and the policy resource block via regex so comment-only tokens cannot satisfy them.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tighten ESO(External Secrets Operator)-synced Secrets Manager secrets so only the External Secrets Operator role can read them.
What
aws_secretsmanager_secret_policy(deny-by-default, ESO-role-only plus an empty break-glass var) ongrafana/adminandauthentik/saml/private_key.Notes
authentik/saml/private_keyis already fenced live. Apply adopts it idempotently and newly fencesgrafana/admin.