diff --git a/api/types/constants.go b/api/types/constants.go index 9a5efafedd766..ba7785d2ff945 100644 --- a/api/types/constants.go +++ b/api/types/constants.go @@ -573,6 +573,12 @@ const ( // KindStaticHostUser is a host user to be created on matching SSH nodes. KindStaticHostUser = "static_host_user" + // KindIdentityCenter is an umbrella kind, representing all KindIdentityCenter* + // resource kinds in RBAC checks. This is to simplify Role condition statements + // so that they don't have to individually specify all of the Identity Center + // resource kinds. + KindIdentityCenter = "aws_identity_center" + // KindIdentityCenterAccount describes an Identity-Center managed AWS Account KindIdentityCenterAccount = "aws_ic_account" diff --git a/lib/services/presets.go b/lib/services/presets.go index 1d6a4bfc5c6c1..a4b6fec68e70c 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -182,7 +182,7 @@ func NewPresetEditorRole() types.Role { types.NewRule(types.KindNotification, RW()), types.NewRule(types.KindStaticHostUser, RW()), types.NewRule(types.KindUserTask, RW()), - types.NewRule(types.KindIdentityCenterAccount, RW()), + types.NewRule(types.KindIdentityCenter, RW()), }, }, }, diff --git a/lib/services/role.go b/lib/services/role.go index 2f36e26b575d7..16b1c79287e87 100644 --- a/lib/services/role.go +++ b/lib/services/role.go @@ -79,7 +79,7 @@ var DefaultImplicitRules = []types.Rule{ types.NewRule(types.KindVnetConfig, RO()), types.NewRule(types.KindSPIFFEFederation, RO()), types.NewRule(types.KindSAMLIdPServiceProvider, RO()), - types.NewRule(types.KindIdentityCenterAccount, RO()), + types.NewRule(types.KindIdentityCenter, RO()), } // DefaultCertAuthorityRules provides access the minimal set of resources diff --git a/lib/services/role_test.go b/lib/services/role_test.go index 8d6d529bf678d..d474585e58cbf 100644 --- a/lib/services/role_test.go +++ b/lib/services/role_test.go @@ -2505,25 +2505,25 @@ func TestDefaultImplicitRules(t *testing.T) { checks []check }{ { - name: "KindIdentityCenterAccount with NewPresetAccessRole", + name: "KindIdentityCenter with NewPresetAccessRole", role: NewPresetAccessRole(), checks: []check{ - {rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false}, + {rule: types.KindIdentityCenter, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true}, + {rule: types.KindIdentityCenter, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true}, + {rule: types.KindIdentityCenter, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false}, + {rule: types.KindIdentityCenter, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false}, + {rule: types.KindIdentityCenter, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false}, }, }, { - name: "KindIdentityCenterAccount with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount", + name: "KindIdentityCenter with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount", role: newRole(func(r *types.RoleV6) {}), checks: []check{ - {rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false}, - {rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false}, + {rule: types.KindIdentityCenter, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true}, + {rule: types.KindIdentityCenter, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true}, + {rule: types.KindIdentityCenter, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false}, + {rule: types.KindIdentityCenter, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false}, + {rule: types.KindIdentityCenter, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false}, }, }, {