Bug: iam.policy.resource.blacklist requires a list of strings #66
Description
Is this a BUG REPORT or FEATURE REQUEST?:
Bug Report
What happened:
The docs say that iam.policy.resource.blacklist is optional. However if you leave it unset, then the code defaults (I think) to it being *. This causes ALL policies to fail - even your example resource:
I1218 01:38:04.716046 1 event.go:281] Event(v1.ObjectReference{Kind:"Iamrole", Namespace:"iam-manager-system", Name:"iam-manager-iamrole-irsa", UID:"b6dc3100-6203-4bfa-9009-ed91af187f4a", APIVersion:"iammanager.keikoproj.io/v1alpha1", ResourceVersion:"12568066", FieldPath:""}): type: 'Warning' reason: 'PolicyNotAllowed' Unable to create/update iam role due to error spec.PolicyDocument.Resource: Forbidden: restricted resource arn:aws:s3:::mybucket* included in the request
What you expected to happen:
It should have been allowed.
Anything else we need to know?:
Setting this policy to an invalid string ("nil") works for us for now as a workaround.