Comment 3 for bug 1872735
Revision history for this message
| kay (kay-diam) wrote Re: EC2 and/or credential endpoints are not protected from a scoped context | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hi Colleen. Sorry for not being clear enough. I was talking about creating EC2 credentials under "trust / oauth / application credential". For instance, when your base user has "admin" and "viewer" roles, you create "application credential" with a "viewer" and expect that "application credential" won't be able to escalate privileges to "admin".
However being authed using "application credential" with a "viewer" role allows to create EC2 credentials, which are associated with a parent user. Therefore "application credential" with a "viewer" role can successfully escalate privileges to "admin".
I uploaded more detailed JSON logs for convenience. Note that I created "application credential" with a limited "monitoring_viewer" role, then created "ec2 credentials" within "application credential" scope, and escalated privileges to parent user roles.