Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(iam): policies created with grant interface in different stacks have the same name and overwrite each other #16074

Closed
ProficientBell opened this issue Aug 16, 2021 · 4 comments · Fixed by #20705
Closed

(iam): policies created with grant interface in different stacks have the same name and overwrite each other #16074

ProficientBell opened this issue Aug 16, 2021 · 4 comments · Fixed by #20705
Assignees
@comcalvi
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@ProficientBell
Copy link

I'm importing a role in two separate stacks to add permissions to resources created in those stacks and they end up overwriting each other

Reproduction Steps

stack 1 has:

    const myRole = Role.fromRoleArn(
        this,
        'myRole',
        StringParameter.valueForStringParameter(this, 'myParam');
    );
    myLambda.grantInvoke(myRole);

stack 2 has:

    const myRole = Role.fromRoleArn(
        this,
        'myRole',
        StringParameter.valueForStringParameter(this, 'myParam');
    );
    myEventbridge.grantPutEventsTo(myRole);

What did you expect to happen?

I expected two policies to be added to the role allowing put permission to myEventbridge and allowing invoke on myLambda.

What actually happened?

I only get one of these permissions. The policy name generated is the same for both (in my case something like 'myRolePolicy3334F5F9') so one ends up overwriting the other.

I've worked around this by changing the imported role id in each stack to be unique but I find this troubling as it is extremely easy to accidentally overwrite policies set in a different stack. Shouldn't names be unique by stack?

Environment

  • **CDK CLI Version :1.117.0
  • **Framework Version:1.117.0
  • **Node.js Version:v16.3.0
  • **OS :ios
  • **Language (Version):TypeScript 4.3.4

Other

This is 🐛 Bug Report
@ProficientBell ProficientBell added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 16, 2021
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 16, 2021
@rix0rrr rix0rrr added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 19, 2021
@rix0rrr rix0rrr removed their assignment Aug 19, 2021
@EhrhardtDa
Copy link

EhrhardtDa commented Aug 31, 2021
edited
Loading

I'm having the same with grants on kms keys.
I deploy a key in each environment (different apps / same stack template) and add grants for the equal role in each environment, which leads to a Policy, with the same Unique Identifier in each environment. The policy gets then overwritten, depending on which environment was deployed lastly.

@acere
Copy link

acere commented Feb 22, 2022

This looks like the same problem as #7483
I've encountered the same issue when granting privileges to the same IAM roles from two different stacks.
Is there any update on workarounds to rename the IAM policies created by grant* methods?

@comcalvi
Copy link
Contributor

comcalvi commented Jun 9, 2022

I've reproduced this successfully.

@comcalvi comcalvi self-assigned this Jun 9, 2022
@comcalvi comcalvi mentioned this issue Jun 11, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #20705 Jun 15, 2022
mergify bot pushed a commit that referenced this issue Jun 15, 2022
@comcalvi
fix(iam): add defaultPolicyName to prevent policies overwriting eac…
703e62e 
…h other in multi-stack deployments (#20705)

This adds a prop, `defaultPolicyName`, that can be specified for imported roles. If the same role is imported in at least two stacks, and both of them create grant permissions to that role, the permissions granted in whichever stack was deployed last will overwrite the permissions granted by all others. Specifying this option allows users to specify different policy names across different stacks, which will prevent this overwrite issue.

Closes #16074.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
@comcalvi @daschaa
fix(iam): add defaultPolicyName to prevent policies overwriting eac…
a8ea8bb 
…h other in multi-stack deployments (aws#20705)

This adds a prop, `defaultPolicyName`, that can be specified for imported roles. If the same role is imported in at least two stacks, and both of them create grant permissions to that role, the permissions granted in whichever stack was deployed last will overwrite the permissions granted by all others. Specifying this option allows users to specify different policy names across different stacks, which will prevent this overwrite issue.

Closes aws#16074.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@comcalvi comcalvi

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
5 participants
@rix0rrr @EhrhardtDa @acere @comcalvi @ProficientBell