Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(iam): can't use OrganizationPrincipal for assuming Role #5746

Merged
merged 3 commits into from
Jan 13, 2020
Merged

fix(iam): can't use OrganizationPrincipal for assuming Role #5746

merged 3 commits into from
Jan 13, 2020

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Jan 10, 2020
edited
Loading

Principal: "*" supposedly works to allow any Principal to assume
a Role (restricted by Conditions, of course), but doesn't work in
practice. The IAM API rejects it as a MalformedPolicyDocument.

In order to not generate a large diff on existing policies, disable
simplification of Principal: { AWS: * } to Principal: * only
for AssumeRole policy documents.

Fixes #5732.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Commit Message

fix(iam): can't use OrganizationPrincipal for assuming Role

Principal: "*" supposedly works to allow any Principal to assume
a Role (restricted by Conditions, of course), but doesn't work in
practice. The IAM API rejects it as a MalformedPolicyDocument.

In order to not generate a large diff on existing policies, disable
simplification of Principal: { AWS: * } to Principal: * only
for AssumeRole policy documents.

Fixes #5732.

@rix0rrr
fix(iam): can't use OrganizationPrincipal for assuming Role
06b4b1e 
`Principal: "*"` supposedly works to allow any Principal to assume
a Role (restricted by `Conditions`, of course), but doesn't work in
practice. The IAM API rejects it as a MalformedPolicyDocument.

In order to not generate a large diff on existing policies, disable
simplification of `Principal: { AWS: * }` to `Principal: *` only
for AssumeRole policy documents.

Fixes #5732.
@rix0rrr rix0rrr self-assigned this Jan 10, 2020
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jan 10, 2020
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

skinny85
skinny85 reviewed Jan 10, 2020
View reviewed changes
packages/@aws-cdk/aws-iam/lib/role.ts Outdated
public toStatementJson(): any {
const stat = super.toStatementJson();

if (stat.Principal && stat.Principal === '*') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be simplified to just stat.Principal === '*'? If stat.Principal is undefined, that will return false, like it does now.

@imincik
Copy link

imincik commented Jan 11, 2020

Thank you very much for your work guys.

eladb
eladb reviewed Jan 12, 2020
View reviewed changes
packages/@aws-cdk/aws-iam/lib/role.ts Outdated
@@ -439,3 +439,18 @@ function validateMaxSessionDuration(duration?: number) {
throw new Error(`maxSessionDuration is set to ${duration}, but must be >= 3600sec (1hr) and <= 43200sec (12hrs)`);
}
}

/**
* A PolicyStatement that doesn't normalize its Principal field.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds to me like it DOES normalize the principal field (it normalizes "*" to {AWS:"*"}, no?).

@rix0rrr rix0rrr requested review from skinny85 and eladb January 13, 2020 10:54
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2020

Thank you for contributing! Your pull request is now being automatically merged.

@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2020

Thank you for contributing! Your pull request is now being automatically merged.

@mergify mergify bot merged commit 6c3d4c4 into master Jan 13, 2020
@mergify mergify bot deleted the huijbers/assumerole-star branch January 13, 2020 13:32
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

@RomainMuller RomainMuller Awaiting requested review from RomainMuller

@iliapolo iliapolo Awaiting requested review from iliapolo

@nija-at nija-at Awaiting requested review from nija-at

@skinny85 skinny85 Awaiting requested review from skinny85

Assignees

@rix0rrr rix0rrr

Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Usage of OrganizationPrincipal in IAM Role creation is causing MalformedPolicyDocument
5 participants
@rix0rrr @aws-cdk-automation @imincik @skinny85 @eladb