Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

roleFromArn with "mutable: false" adds role policies #5943

Closed
claabs opened this issue Jan 23, 2020 · 0 comments · Fixed by #6090
Closed

roleFromArn with "mutable: false" adds role policies #5943

claabs opened this issue Jan 23, 2020 · 0 comments · Fixed by #6090
Assignees
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. p0

Comments

@claabs
Copy link

claabs commented Jan 23, 2020

iam.Role.fromRoleArn() with { mutable: false } creates role policies in 1.21.1. This did not occur in <=1.20.0

Reproduction Steps

  1. Clone my reproduction repo: https://github.com/charlocharlie/mutable-role-repro
  2. npm i
  3. cdk synth
  4. Observe template
  5. Downgrade to 1.20.0
  6. npm i
  7. cdk synth
  8. Observe template without any role policies

Or just view the synth-1.20.0.json and synth-1.21.1.json in the repro.

Error Log

Causes many issues when deploying to a role-strict environment.

Environment

  • CLI Version : 1.21.1
  • Framework Version: 1.21.1
  • OS : macOS
  • Language : Typescript

This is 🐛 Bug Report

@claabs claabs added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 23, 2020
@SomayaB SomayaB added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 27, 2020
@rix0rrr rix0rrr added p1 p0 and removed p1 labels Feb 3, 2020
rix0rrr added a commit that referenced this issue Feb 4, 2020
In the refactoring done in #5569, we introduced a bug. The
`ImmutableRole` class correctly ignored policies directly added to it,
but did not ignore policies added via `Grant.addToPrincipal()`.

That's because its `IGrantable#grantPrincipal` field was being used
as the principal to grant to, which was pointing to the wrapped
role instead of the `ImmutableRole` itself.

Fix this oversight and add a test to cement it in.

Fixes #5943.
@mergify mergify bot closed this as completed in #6090 Feb 5, 2020
mergify bot added a commit that referenced this issue Feb 5, 2020
In the refactoring done in #5569, we introduced a bug. The
`ImmutableRole` class correctly ignored policies directly added to it,
but did not ignore policies added via `Grant.addToPrincipal()`.

That's because its `IGrantable#grantPrincipal` field was being used
as the principal to grant to, which was pointing to the wrapped
role instead of the `ImmutableRole` itself.

Fix this oversight and add a test to cement it in.

Fixes #5943.

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. p0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants