-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(iam): grantAssumeRole silently fails with service and account principals #29452
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
@@ -369,6 +369,37 @@ new iam.Role(this, 'Role', { | |||
}); | |||
``` | |||
|
|||
### Granting assume role permission from a role | |||
|
|||
Principals can be granted permission to assume a role using `grantAssumeRole`. Note that this does not apply to Service Principals or Account Principals as they must be added to the role Trust Policy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: lowercase service principals
[1]
Nit: lowercase account principals
[2]
Also move the note to a newline.
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts
@@ -369,6 +369,37 @@ new iam.Role(this, 'Role', { | |||
}); | |||
``` | |||
|
|||
### Granting assume role permission from a role |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"From a role" is confusing here. Can you change this to "Granting principals permission to assume a role"
role.grantAssumeRole(user); | ||
``` | ||
|
||
### Giving Service Principals and Account Principals assume role permission from a role |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Granting service and account principals permission to assume a role"
|
||
### Giving Service Principals and Account Principals assume role permission from a role | ||
|
||
Service Principals and Account Principals can be granted permission to assume a role using `assumeRolePolicy` which modifies the role Trust Policy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lowercase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trust Policy
should be lowercase too.
// Service Principals must use assumeRolePolicy | ||
if (identity.policyFragment.principalJson.Service) { | ||
throw new Error('Cannot use a Service Principal with grantAssumeRole, use assumeRolePolicy instead.'); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this would work?
if (identity instanceof ServicePrincipal || identity instanceof AccountPrincipal) {
throw new Error('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.');
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call, this appears to have worked. Added another test for account principal.
Can you change the title? It should reflect the bug. Maybe:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See inline. Great start!
Incorporated all feedback and updated title |
@@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { | |||
}); | |||
``` | |||
|
|||
### Granting an identity permission to assume a role |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you change this to "Granting a principal...". That's the more common verbiage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I forgot I'd modified this. I changed this to identity based on this section of the readme but I think I'm just misreading it. Will change
@@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { | |||
}); | |||
``` | |||
|
|||
### Granting an identity permission to assume a role | |||
|
|||
An identity can be granted permission to assume a role using `grantAssumeRole`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Likewise here, "a principal."
|
||
An identity can be granted permission to assume a role using `grantAssumeRole`. | ||
|
||
Note that this does not apply to service principals or account principals as they must be added to the role trust policy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add via assumeRolePolicy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few more comments then we're good to go.
Incorporated feedback |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM, just a question for clarification before approving.
packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts
Outdated
Show resolved
Hide resolved
@@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { | |||
}); | |||
``` | |||
|
|||
### Granting a principal permission to assume a role |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this clear documentation update.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Issue #24507
Reason for this change
grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope
Description of changes
This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals.
Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals.
Description of how you validated changes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license