Skip to content

Restrict ACK ACM controller IAM to read-only#523

Closed
sanmesh-kakade wants to merge 2 commits intodevelopfrom
fabric-fixes
Closed

Restrict ACK ACM controller IAM to read-only#523
sanmesh-kakade wants to merge 2 commits intodevelopfrom
fabric-fixes

Conversation

@sanmesh-kakade
Copy link
Contributor

@sanmesh-kakade sanmesh-kakade commented Mar 17, 2026

Summary

  • Remove IAM permissions that allow creating, importing, deleting, renewing, or modifying ACM certificates (RequestCertificate, ImportCertificate, DeleteCertificate, RenewCertificate, ExportCertificate, UpdateCertificateOptions)
  • Retain only read and tag management permissions needed for adopting existing certs via AdoptedResource
  • Enforces least-privilege access for the ACK ACM controller

Test plan

  • Deploy updated module and verify ACK controller can adopt an existing ACM cert via AdoptedResource
  • Verify controller can sync cert to Kubernetes Secret via exportTo
  • Confirm RequestCertificate is denied (no new certs can be created)

🤖 Generated with Claude Code

@sanmesh-kakade @claude
Restrict ACK ACM controller IAM policy to read-only access
a5f6c48 
Remove permissions that allow creating, importing, deleting, renewing,
or modifying ACM certificates. The controller now only needs to adopt
and sync existing certificates via AdoptedResource.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 17, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)
  • facets-saas

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 71e22f9c-1314-4841-bba0-517e22494363

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fabric-fixes
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can enforce grammar and style rules using `languagetool`.

Configure the reviews.tools.languagetool setting to enable/disable rules and categories. Refer to the LanguageTool Community to learn more.

@sanmesh-kakade @claude
Add acm:ExportCertificate to IAM policy for adopted cert export
1b486fa 
Required for exportTo to work with adopted certificates. This permission
only reads existing cert data (cert body + private key), does not create
new certificates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sanmesh-kakade
Copy link
Contributor Author

sanmesh-kakade commented Mar 19, 2026

covered in #524

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rr0hit rr0hit Awaiting requested review from rr0hit rr0hit is a code owner

@anshulsao anshulsao Awaiting requested review from anshulsao anshulsao is a code owner

@vishnukv-facets vishnukv-facets Awaiting requested review from vishnukv-facets vishnukv-facets is a code owner

@ishaankalra ishaankalra Awaiting requested review from ishaankalra ishaankalra is a code owner

@pramodh-ayyappan pramodh-ayyappan Awaiting requested review from pramodh-ayyappan pramodh-ayyappan is a code owner

@unni-facets unni-facets Awaiting requested review from unni-facets unni-facets is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sanmesh-kakade