Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam: Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead. #29782

Closed
vmx-kbabenko opened this issue Apr 10, 2024 · 4 comments
Closed

aws_iam: Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead. #29782

vmx-kbabenko opened this issue Apr 10, 2024 · 4 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@vmx-kbabenko
Copy link

Describe the bug

Since version 2.136 trying to grant assume role to a principal results in an error.

Code example:

        role.grant_assume_role(
            aws_iam.ServicePrincipal('batchoperations.s3.amazonaws.com')
        )

Error:
@jsii/kernel.RuntimeError: Error: Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.

Expected Behavior

No error expected

Current Behavior

@jsii/kernel.RuntimeError is observed

Reproduction Steps

Grant assume role to an AWS principal.

Possible Solution

Breaking change happened in 2.136 release:

iam: grantAssumeRole silently fails with service and account principals (#29452) (36fd79d), closes #24507

Additional Information/Context

No response

CDK CLI Version

2.136.1

Framework Version

No response

Node.js Version

18

OS

AL2

Language

Python

Language Version

3.9

Other information

No response
@vmx-kbabenko vmx-kbabenko added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 10, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Apr 10, 2024
@msambol
Copy link
Contributor

msambol commented Apr 10, 2024

Related: #29452. Can you try the following:

role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({
  actions: ['sts:AssumeRole'],
  principals: [
    new iam.ServicePrincipal('batchoperations.s3.amazonaws.com'),
    ],
}));

@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Apr 10, 2024
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Apr 12, 2024
This was referenced Apr 15, 2024
Closed
Closed
@github-actions github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Apr 17, 2024
@badfun
Copy link
Contributor

badfun commented Apr 24, 2024

I had the identical error. The solution provided by @msambol works. Now to go and refactor all the code.
Funny how the "solution" in #29452 is a documentation change. Helps for the future I suppose. Not sure why my stuff has been working all along until this update.

@github-actions github-actions bot mentioned this issue May 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@badfun @msambol @vmx-kbabenko @aws-cdk-automation @khushail