Using PMapper to map cross-account roles

[christophetd]

I'm trying to use search_authorization_for to search for / validate inter and cross-account role assumptions.

Inter-account role assumption

Having a user myuser being able to assume myrole, I can validate the behavior:

principal = graph.get_node_by_searchable_name('user/myuser')
result = search_authorization_for(graph, principal, 'iam:AssumeRole', 'arn:aws:iam::account-id:role/myrole', {'aws:SourceIp': 'x.x.x.x'})
print(result.allowed) # True

Cross-account role assumption

User account1/user can assume a role account2/role.

How would you go about this? I'm not sure it's possible using PMapper. Using graph.get_node_by_searchable_name to search for the source principal in a different account won't work if graph was generated in the context of the target account.

Thank you!

[ncc-erik-steringer]

I want to fully support this in the next iteration of PMapper. It's mostly ready in the v1.1.0-dev branch, you'll want to use search_authorization_with_resource_policy_for in principalmapper.query_interface which will consider both the calling principal's authorization and the resource policy (trust doc) of the assumed role.

[christophetd]

Sounds good! But how does that play with data collection? Do I need to create one graph per account, and then query the proper principal in the correct graph?

[ncc-erik-steringer]

You'd need one graph per account, then query against account1/user while pulling in the trust doc from account2/role.

[ncc-erik-steringer]

Branch v1.1.0-dev has a new module principalmapper.graphing.cross_account_edges with a function named get_edges_between_graphs that does all the legwork of building all Edge objects when given two Graph objects. Closing this issue.