Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug:Update your policies for AWS Glue BatchGet APIs #109

Open
NotErickG opened this issue Nov 21, 2024 · 2 comments
Open

bug:Update your policies for AWS Glue BatchGet APIs #109

NotErickG opened this issue Nov 21, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@NotErickG
Copy link

NotErickG commented Nov 21, 2024
edited
Loading

Describe the bug
Got this notification on my account from AWS

We identified an issue with AWS Glue BatchGet APIs that requires your
action. Currently, Glue BatchGet* APIs run successfully despite a Deny
condition on one or more of the underlying Get operations. On December 16,
2024, we will deploy a fix for this to ensure BatchGet* APIs will fail with
an AccessDeniedException if there is a Deny condition on one of the
corresponding Get* operations. Your account has policies which include
these contradicting statements. Please refer to the 'Affected resources'
tab of your AWS Health Dashboard to see your impacted IAM resources.

You must update your policies to deny or allow AWS Glue Batch* APIs and
their corresponding Get* API operations by this date. If you do not take
action, the Batch API will not retrieve the resources of the Batch API call
being made. Please refer to our "Actions, resources, and condition keys for
AWS Glue" user guide for additional information.

The following is a list of the affected Glue BatchGet* APIs operations:

BatchGetDevEndpoints
BatchGetJobs
BatchGetBlueprints
BatchGetTriggers
BatchGetWorkflows

The following is a list of the affected Get* API operations:

GetDevEndpoints
GetJobs
GetBlueprints
GetTriggers
GetWorkflows

If you have any questions or concerns, please contact AWS Support.

Steps to reproduce
I guess deploy the lacework config module and check your health dashboard periodically.

Expected behavior
From our AWS Rep
You might want to explicitly allow GetWorkflows in this policy if you intend to use BatchGetWorkflows

Screenshots
none

Please complete the following information):

  • Terraform Version: 1.3.7
  • Module Version 16

Additional context
Not really I think AWS is just changing their API

Workaround
I just attached a policy

data "aws_iam_policy_document" "lacework_glue_policy" {
  statement {
    actions = [
      "glue:GetWorkflows"
    ]
    resources = ["*"]
  }
}

for my stuff using the iam_role_name output.
@NotErickG NotErickG added the bug Something isn't working label Nov 21, 2024
@BenChmark1 BenChmark1 mentioned this issue Nov 25, 2024
Closed
@BenChmark1
Copy link

We have also had this issue.

I raised a PR to resolve this: #111

@BenChmark1
Copy link

FYI (because it wasn't mentioned in any release notes as far as I can see), this issue was fixed: #112

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NotErickG @BenChmark1