You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello,
While trying to run parliament on the output of aws iam get-account-authorization-details, I got a fatal error:
Traceback (most recent call last):
File "/usr/local/bin/parliament", line 33, in <module>
sys.exit(load_entry_point('parliament==1.6.2', 'console_scripts', 'parliament')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/cli.py", line 273, in main
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/__init__.py", line 73, in analyze_policy_string
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/policy.py", line 269, in analyze
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/statement.py", line 294, in __init__
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/statement.py", line 1008, in analyze_statement
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/statement.py", line 526, in _check_condition
File "/usr/local/lib/python3.11/site-packages/jsoncfg/config_classes.py", line 327, in __getattr__
raise JSONConfigNodeTypeError(
jsoncfg.config_classes.JSONConfigNodeTypeError: Expected a ConfigJSONObject but found ConfigJSONArray. You are trying to get an item from an array as if it was an object. item=value [line=1;col=1131]
I extracted the problematic policy in a JSON file named iam_self_management.json (copied here with light editing):
$ jq '.PolicyVersionList[].Document' < iam_self_management.json | parliament
Traceback (most recent call last):
File "/usr/local/bin/parliament", line 33, in <module>
sys.exit(load_entry_point('parliament==1.6.2', 'console_scripts', 'parliament')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/cli.py", line 321, in main
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/__init__.py", line 73, in analyze_policy_string
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/policy.py", line 269, in analyze
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/statement.py", line 294, in __init__
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/statement.py", line 1008, in analyze_statement
File "/usr/local/lib/python3.11/site-packages/parliament-1.6.2-py3.11.egg/parliament/statement.py", line 526, in _check_condition
File "/usr/local/lib/python3.11/site-packages/jsoncfg/config_classes.py", line 327, in __getattr__
raise JSONConfigNodeTypeError(
jsoncfg.config_classes.JSONConfigNodeTypeError: Expected a ConfigJSONObject but found ConfigJSONArray. You are trying to get an item from an array as if it was an object. item=value [line=53;col=41]
This error is caused by the policy using a "Bool" condition with an array ["true"] instead of the value directly ("true").
Hello,
While trying to run parliament on the output of
aws iam get-account-authorization-details, I got a fatal error:I extracted the problematic policy in a JSON file named
iam_self_management.json(copied here with light editing):{ "PolicyName": "IAMSelfManagement-20210101000000001000000001", "PolicyId": "ANPXXXXXXXXXXXXXXXXXX", "Arn": "arn:aws:iam::123456789012:policy/IAMSelfManagement-20210101000000001000000001", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 1, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2021-01-01T00:00:00+00:00", "UpdateDate": "2021-01-01T00:00:00+00:00", "PolicyVersionList": [ { "Document": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSelfManagement", "Effect": "Allow", "Action": [ "iam:UploadSigningCertificate", "iam:UploadSSHPublicKey", "iam:UpdateUser", "iam:UpdateLoginProfile", "iam:UpdateAccessKey", "iam:ResyncMFADevice", "iam:List*", "iam:Get*", "iam:GenerateServiceLastAccessedDetails", "iam:GenerateCredentialReport", "iam:EnableMFADevice", "iam:DeleteVirtualMFADevice", "iam:DeleteLoginProfile", "iam:DeleteAccessKey", "iam:CreateVirtualMFADevice", "iam:CreateLoginProfile", "iam:CreateAccessKey", "iam:ChangePassword" ], "Resource": [ "arn:aws:iam::123456789012:user/*/${aws:username}", "arn:aws:iam::123456789012:user/${aws:username}", "arn:aws:iam::123456789012:mfa/${aws:username}" ] }, { "Sid": "AllowIAMReadOnly", "Effect": "Allow", "Action": [ "iam:List*", "iam:Get*" ], "Resource": "*" }, { "Sid": "AllowDeactivateMFADevice", "Effect": "Allow", "Action": "iam:DeactivateMFADevice", "Resource": [ "arn:aws:iam::123456789012:user/*/${aws:username}", "arn:aws:iam::123456789012:user/${aws:username}", "arn:aws:iam::123456789012:mfa/${aws:username}" ], "Condition": { "Bool": { "aws:MultiFactorAuthPresent": [ "true" ] }, "NumericLessThan": { "aws:MultiFactorAuthAge": [ "3600" ] } } } ] }, "VersionId": "v1", "IsDefaultVersion": true, "CreateDate": "2021-01-01T00:00:00+00:00" } ] }When parsing this policy, the same error happens:
This error is caused by the policy using a
"Bool"condition with an array["true"]instead of the value directly ("true").The policy is nonetheless valid and comes from https://github.com/terraform-aws-modules/terraform-aws-iam/blob/aa7ddba39b658088788652b1a0c3221ccf73cf13/modules/iam-group-with-policies/policies.tf, which was in version 5.11.0 of
terraform-aws-modules/iam(described on https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest as "Terraform module which creates IAM resources on AWS") :(Note that this Terraform file uses
["true"]instead oftrue.)Could you please add support for such policies?
System information:
master(commit57f45649f512df3302d4185ecf1ec25226006336, version 1.6.2)docker.io/library/python:3.11(based on Debian, with Python 3.11) to reproduce the issue, using these commands:git clone https://github.com/duo-labs/parliament cd parliament/ pip install -r requirements.txt python3 setup.py install parliament --auth-details-file iam_get-account-authorization-details.jsonThe text was updated successfully, but these errors were encountered: