feat(iam): implement IGrantable to Policy and ManagedPolicy

[Tietew]

Fixes #10308

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

Pull request has been modified.

[Tietew]

I've marked as draft due to incomplete; i.e. s3.Bucket.grantReadWrite calls addToPrincipalOrResource.
Working.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[dan-lind]

@Tietew Is this still a draft? Was wondering just I just ran into the issue of ManagedPolicy not implementing IGrantable

[Tietew]

I researched usage of grant* methods.

IAM group and IPrincipal

Group implements IPrincipal but an IAM group itself is not an actual principal.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying
When trying to pass Group as a principal of a resource-based policy, PolicyStatement.validatePolicyPrincipal() throws an error.
(checked by instanceof Group )

Policy and ManagedPolicy is also not a principal.

const stack1234 = new Stack(app, 'stack1234', { env: { account: '1234' } });
const group = new iam.Group(stack1234, 'group', { ... });
const mp = new iam.ManagedPolicy(stack1234, 'policy', { ... });

const stack5678 = new Stack(app, 'stack5678', { env: { account: '5678' } });
const s3 = new s3.Bucket(stack5678, 'bucket', { ... });
s3.grantRead(group); // fails: Cannot use an IAM Group as the 'Principal' or 'NotPrincipal' in an IAM Policy
s3.grantRead(mp); // should fail too!

IPrincipal.policyFragment property will be referred when the grantee to a resource policy.
I think that it's the simple way to throw an error in the getter of the property to cause above failure.

list of grant* methods usage

simple

Only Grant.addToPrincipalPolicy() is called. (ignores policyFragment)

• aws-apigateway
• aws-apigatewayv2
• aws-appmesh
• aws-appsync
• aws-backup
• aws-cloudwatch
• aws-codedeploy
• aws-codeguruprofiler
• aws-codepipeline-actions
• aws-cognito
• aws-efs
• aws-elasticsearch
• aws-events
• aws-gamelift
• aws-iotevents
• aws-kinesisfirehose
• aws-location
• aws-neptune
• aws-opensearchservice
• aws-sagemaker
• aws-stepfunctions

calls addToPrincipalOrResource

Following methods call addToPrincipalOrResource(). grantee will be added to resource policy when cross-account.

• aws-ecr: IRepository.grant*
• aws-lambda: IFunction.grantInvoke IFunction.grantInvokeUrl IFunctionUrl.grantInvokeUrl
• aws-logs: ILogGroup.grant*
• aws-s3: IBucket.grant*
• aws-secretsmanager: ISecret.grant*
• aws-sns: ITopic.grantPublish
• aws-sqs: IQueue.grant*

calls addToPrincipalAndResource

Only KMS calls addToPrincipalAndResource().
When the key has a default policy (trustAccountIdentities is true) and is not cross-region nor cross-account, addToPrincipalOrResource() is called. Otherwise addToPrincipalAndResource() is called.

• aws-kms: IKey.grant*

delegate to S3 / Secrets Manager

Same restrictions as addToPrincipalOrResource()

• aws-codebuild: IReportGroup.grantWrite
• aws-glue: ITable.grantRead ITable.grantWrite ITable.grantReadWrite
• aws-rds: IServerlessCluster.grantDataApiAccess

delegate to KMS

Same restrictions as KMS if encryption is enabled.

• aws-ec2: IVolume.grantAttachVolume IVolume.grantAttachVolumeByResourceTag
• aws-kinesis: IStream.grantRead IStream.grantWrite IStream.grantReadWrite
• aws-secretsmanager: ISecret.grant*
• aws-sqs: IQueue.grantConsumeMessages IQueue.grantSendMessage
• aws-ssm: IParameter.grant*

special case

• aws-iam: IRole.grant* (requires IPrincipal, but calls addToPrincipalPolicy() only)
• aws-redshift: ITable.grant (requires redshift IUser)

[Tietew]

@dan-lind Thank you for catching! It's ready now.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[toxygene]

Is there anything else that needs to be done here? I'm eagerly awaiting this functionality and I'd hate to see the PR languish.

[toxygene]

Is there anything the community can do to get this PR approved? I'm very excited to see the functionality added to CDK and I'm afraid that progress on it has stalled.

[comcalvi]

This looks really good, and hopefully we can merge it soon! I have a conceptual and cosmetic comments

[comcalvi]

Suggested change

	throw new Error(`Cannot use a ManagedPolicy ${this._managedPolicy.node.path} as the 'Principal' or 'NotPrincipal' in an IAM Policy`);
	throw new Error(`Cannot use a ManagedPolicy '${this._managedPolicy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`);

Can you add a comment above this error explaining why we need to throw it? It's not immediately clear

[Tietew]

I believe policyFragment is currently the best location to raise an error when we try to add Policy/ManagedPolicy to a resource-based policy. Suggestions are welcome.

[samson-keung]

@Tietew I know this is an old thread but I have a question wanting to understanding better.

You mentioned that PolicyStatement.validatePolicyPrincipal() throws error for Group. So why not update PolicyStatement.validatePolicyPrincipal() to throw for Policy or Managed Policy as well?

Pull request has been modified.

[Tietew]

@comcalvi Thank you for your review. updated.

[comcalvi]

Nice work!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 8647801
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[Tietew]

#7448