@aws-cdk/aws-iam: concrete role/group/user ARN does not include path

[saltman424]

IAM groups, users, and roles do not have the path included in their cross-environment ARN (i.e. in the getResourceArnAttribute's second argument)

Reproduction Steps

1. Create stacks for different accounts
2. Put a role in one stack
3. Put a bucket in the other
4. Call stackB.bucket.grantReadWrite(stackA.role)
5. Try to deploy - should encounter invalid ARN error, e.g. "An ARN in the specified key policy is invalid."

What did you expect to happen?

Correct ARN

What actually happened?

Invalid ARN error

Environment

• CDK CLI Version : 1.89.0
• Framework Version: 1.89.0
• Node.js Version: 12.18.2
• OS : Windows 10
• Language (Version): TypeScript 4.1.3

Other

I tried creating a pull request, since this is a quick fix. However, I am having problems with pushing to GitHub.

This was basically my solution (also applied to group and user):

this.roleArn = this.getResourceArnAttribute(role.attrArn, {
  region: '', // IAM is global in each partition
  service: 'iam',
  resource: `role${props.path || '/'}${this.physicalName}`,
});

---

This is 🐛 Bug Report

[rix0rrr]

However, I am having problems with pushing to GitHub.

Thanks for the PR!

You need to fork the repository to your own account first. Then you can push to your own account, and create a PR based off of that back to us.

[saltman424]

@rix0rrr Turns out it was a credential helper issue for pushing. I just created the pull request: #13258

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.