Search code examples
amazon-cognitoistio

Istio request.auth.claims[cognito:groups] is not working

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
    - issuer: "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxx"
      jwksUri: "https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-xxxxx/.well-known/jwks.json"

and

spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
    - from:
        - source:
            notRequestPrincipals: ["*"]
      to:
        - operation:
            paths: ["/api/v1/*"]
      when:
        - key: request.auth.claims[cognito:groups]
          values: ["testing"]

I've tried to use above code snippets as to allow access to use /api/v1/* if JWT token is based on testing group of AWS Cognito. Unfortunately, it's now working as showing RBAC: access denied. Please let me know how can I fix it?

Solution

  • Issue

    With your current AuthorizationPolicy you block every request with correct token with 403 RBAC: access denied.

    I have recently made few tests with AuthorizationPolicy, it's worth taking a moment to understand how it works.

    Solution

    As we discussed in comments, there are 2 ways to actually make this work.

    With action:ALLOW and requestPrincipals

    spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["*"]

    or action:DENY and NotRequestPrincipals

    spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
    - from:
        - source:
            notRequestPrincipals: ["*"]

    Example

    There is an example from istio in action book.

    Denying requests without JWT Tokens

    Let’s create an authorization policy that denies requests targeting the API Gateway without a JWT Token:

    apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: app-gw-requires-jwt
 namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 action: DENY
 rules:
 - from:
   - source:
       notRequestPrincipals: ["*"]
   to:
   - operation:
       hosts: ["apiserver.istioinaction.io"]

    This policy makes use of the property notRequestPrincipals and the "*" value, which means that the source matches for all requests that lack the request principal property. The Request Principal property gets its value from two claims that are extracted by the Request Authentication filter from the token and stored in filter metadata. The two claims being issuer and subject in the format iss/sub.