Fix admin check for root aws users (#940)

deliahu · deliahu · commit 9223adebfe38 · 2020-04-01T21:47:44.000-07:00
(cherry picked from commit 463e878)
diff --git a/pkg/lib/aws/iam.go b/pkg/lib/aws/iam.go
@@ -17,6 +17,8 @@ limitations under the License.
 package aws
 
 import (
+	"strings"
+
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/cortexlabs/cortex/pkg/lib/errors"
 )
@@ -50,6 +52,7 @@ func (c *Client) GetGroupsForUser(userName string) ([]iam.Group, error) {
 	return groups, nil
 }
 
+// Note: root users don't have attached policies, but do have full access
 func (c *Client) GetManagedPoliciesForUser(userName string) ([]iam.AttachedPolicy, error) {
 	var policies []iam.AttachedPolicy
 
@@ -89,6 +92,16 @@ func (c *Client) IsAdmin() bool {
 		return false
 	}
 
+	// Root users may not have a user name
+	if user.UserName == nil {
+		return true
+	}
+
+	// Root users may have a user name
+	if user.Arn == nil || strings.HasSuffix(*user.Arn, ":root") {
+		return true
+	}
+
 	policies, err := c.GetManagedPoliciesForUser(*user.UserName)
 	if err != nil {
 		return false
