AlloyDB granting alloydbiamuser role changes passw...

rustyx · 03-02-2024 05:36 AM

I came across something in AlloyDB (running in PG 15 mode, if that matters) that I think is a bug as I just inadvertently locked myself out.

Normally, granting/revoking the built-in alloydbiamuser role is blocked.

GRANT alloydbiamuser TO pwuser;                                                                                    
ERROR:  grant or revoke of role "alloydbiamuser" is not allowed

\dg
                                      List of roles
 Role name                       | Attributes                    | Member of
---------------------------------+-------------------------------+-----------------------------------
 . . .
 iamuser@some-project-318812.iam |                               | {alloydbiamuser}
 pwuser                          | Create role, Create DB        | {alloydbsuperuser}

But I can grant an IAM user to a password-based user, and that turns the password-based user into an IAM user (thus rendering them impossible to sign-in).

GRANT iamuser@some-project-318812.iam TO pwuser;

\dg
                                      List of roles
 Role name                       | Attributes                    | Member of
---------------------------------+-------------------------------+-----------------------------------
 . . .
 iamuser@some-project-318812.iam |                               | {alloydbiamuser}
 pwuser                          | Create role, Create DB        | {alloydbsuperuser,iamuser@some-project-318812.iam}

psql: error: FATAL:  AlloyDB IAM user authentication failed for user "pwuser"

I think the IAM auth logic should not consider "inherited" alloydbiamuser, only the "direct" alloydbiamuser role on the current user. If that's not possible, then granting IAM roles to password users should be blocked (although that would be an unnecessary limitation)

AlloyDB granting alloydbiamuser role changes password-based auth to IAM auth