-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-iam): grantAssumeRole does nothing #24507
(aws-iam): grantAssumeRole does nothing #24507
Comments
Hi You will need to use const role = new iam.Role(this, 'role', {
assumedBy: new iam.AccountPrincipal(this.account),
})
role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({
actions: ['sts:AssumeRole'],
principals: [new iam.AccountPrincipal('123456789')],
})) related to #22550 (comment) |
|
What is the purpose of When trying to use this workaround, it can end up trying to create cyclical references. In particular when trying to add RolePrincipals or RoleArns, such as for a specific lambda. |
have the same problem. spent hours to figure out why grant_assume_role(identity) does nothing. how should one actually find out this workaround to add statement to the role policy... no idea... imho this workaround (if it is one) should be at least mentioned in the docs. although it works, there is a "add_statements" is not a known member of "None" message |
Would like to comment that I just encountered this issue too and it's a bit bewildering. I'm totally fine using Just make it clear that you shouldn't use To make the problem obvious, here is a minimum example to reproduce the bug:
|
I ran into a similar problem, but I was able to solve this with fewer lines of code using spread operator. const accountsToAllowAssumedBy = ['000000000000', '111111111111'];
const role = new iam.Role(this, 'Role', {
roleName: 'AssumeRoleTest',
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
...accountsToAllowAssumedBy.map((account) => new iam.AccountPrincipal(account)), //Spread Operator (...)
),
}); Output: "Role1ABCC5F0": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AssumeRoleTest",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root",
"arn:aws:iam::111111111111:root"
],
"Service": "ecs-tasks.amazonaws.com"
}
}
],
},
},
}, |
…ncipals (#29452) ### Issue #24507 ### Reason for this change grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope ### Description of changes This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals. Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals. ### Description of how you validated changes * Added a unit test * This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
Role.grantAssumeRole()
does not make any difference in the generated policy.Expected Behavior
grantAssumeRole
should grant the given princial permission to assume the role.Current Behavior
No-op.
Reproduction Steps
Possible Solution
No response
Additional Information/Context
Workaround:
CDK CLI Version
2.67.0
Framework Version
No response
Node.js Version
v18.14.2
OS
Ubuntu
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: