Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEAM requests created with missing fields #340

Open
headj-origami opened this issue Dec 17, 2024 · 2 comments
Open

TEAM requests created with missing fields #340

headj-origami opened this issue Dec 17, 2024 · 2 comments

Comments

@headj-origami
Copy link

Describe the bug
After upgrading from TEAM v1.1.2 to v1.2.2, new elevated access requests are created with key information (critically, the requester email) missing. This leaves the request in an unapprovable state as they appear in neither "My requests" nor "Approve requests"

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'Create Request'
  2. Enter a valid Account, Role, Duration, and justification
  3. Click 'Submit'

Expected behavior
Access request is created.
Depending on the eligibility policy, this should either automatically become active (if no approval required), or sent to the Approvals list for relevant approvers.

Observed behavior
The request only appears in Audit > Approvals list, with a null Requester email in a pending state with a NaN request expiry.
This does not appear in either 'My requests' (as the requester) or 'Approve requests' (for approvers).

In the dynamoDB requests table, the corresponding fields (email and sessionDuration) are missing.

Full DynamoDB JSON:

{
  "id": {
    "S": "MASKED"
  },
  "accountId": {
    "S": "MASKED"
  },
  "accountName": {
    "S": "MASKED"
  },
  "createdAt": {
    "S": "2024-12-17T19:00:27.558Z"
  },
  "duration": {
    "S": "1"
  },
  "justification": {
    "S": "Testing TEAM"
  },
  "owner": {
    "S": "MASKED::idcMASKED"
  },
  "role": {
    "S": "MASKED"
  },
  "roleId": {
    "S": "arn:aws:sso:::permissionSet/MASKED/MASKED"
  },
  "startTime": {
    "S": "2024-12-17T19:05:00.862Z"
  },
  "status": {
    "S": "pending"
  },
  "ticketNo": {
    "S": ""
  },
  "updatedAt": {
    "S": "2024-12-17T19:00:27.558Z"
  },
  "username": {
    "S": "idc_MASKED"
  },
  "__typename": {
    "S": "requests"
  }

Screenshots
Audit list:
image

Detail of bugged request:
image

Desktop (please complete the following information):

  • OS: macOS 14.7.1
  • Browser Chrome
  • Version: 131.0.6778.86

Additional context
TEAM version 1.2.2
@headj-origami
Copy link
Author

Managed to solve this - the issue was that the IAM PermissionSets in my Eligibility policies had been recreated, changing their ARN.

I believe that this meant that while it was possible to create a request for the Permissionset by name, TEAM was unable to look up the details of max duration. I'm still unsure why requester email would be missing, but it's also probably related to not being able to lookup the Policy.

@sudeepshiv
Copy link

We are having a similar issues whereby Requestor and Approver are shows empty (refer to screenshot), we are on version 1.2.2 as well and suspect something to do with Approver Policies. If the "Approver AD Groups" contains "Approver keywords" we noticed this issue comes up and switched AD Group Name to different naming conventions and seems ok.
However not very sure related to this issue...

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sudeepshiv @headj-origami