Permission boundaries not considered when querying #129
Description
Question
I have a role with administrative privileges (let's call it privileged-role) and it has a permission boundary attached to it denying iam actions. However when I run the following query:
pmapper --account ACC# query -s 'who can do iam:*'
I get results like this:
role/rdkLambdaRole-KOQRA8051N84 CAN call action iam:* for resource * THRU role/privileged-role
role/rdkLambdaRole-KOQRA8051N84 can access via sts:AssumeRole role/cdk-hnb659fds-deploy-role
role/cdk-hnb659fds-deploy-role can create a stack in CloudFormation to access role/privileged-role
role/privileged-role IS authorized to call action iam:* for resource *
I also tried using conditions to take permission boundaries into account, but the results are the same. Sample query:
pmapper --account ACC# query -s 'who can do iam:* with * when iam:PermissionsBoundary=arn:aws:iam::ACC#:policy/perm_boundary'
Did the Wiki Have an Answer?
I did not find any answers in Wiki. Not a lot of information can be found on using conditions with queries. I'd add the answer in "Query Reference".