Unable to build multi-principal Policy with Role

[ijcd]

I am trying to create a role with the following policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_iam_role.eks_nodes.arn}",
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The problem, however, is that the Role construct only takes a single entity for assumedBy.

const defaultPodRole = new iam.Role(this, "default-pod-role", {
        roleName: "default",
        path: "/pods/",
        assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
      })

I tried pulling out the assumeRolePolicy but its statements member is private, and that would involve digging around in the statements array anyway.

export declare class PolicyDocument extends Token {
    private readonly baseDocument?;
    private statements;

This workaround produces a role/policy/trust setup that collapses to the same interpretation, but the resulting document is not the same.

    const role = new iam.Role(this, 'Role', {
      assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
    });
    if ( role.assumeRolePolicy ) {
      role.assumeRolePolicy.addStatement(new iam.PolicyStatement().
        addAccountRootPrincipal().
        addAction('sts:AssumeRole'));
    }

The resulting document is this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456123456:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

[eladb]

This is indeed a limitation. Technically we can provide an implementation of PolicyPrincipal that will allow combining multiple principals.

@ijcd can you share a bit more details about your use case? Why do you need this?

[eamonnfaherty]

@eladb https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html#lambda-edge-permissions-function-execution recommends using two principals

[eladb]

Thanks @eamonnfaherty, exactly what I was after.

[deen13]

Is there any progress in this issue? I do also need this feature to connect my API Gateway directly to an DynmoDB Table. 😥

[eladb]

@deen13 PR pending

[eamonnfaherty]

To be honest for the example I specified I would like to see that working via a construct.

Generally, allowing a role to be assumed by two services is a sign that the author is breaking least privileged principle.

[eladb]

@deen13 can you provide some reference to your use case please?

[eladb]

https://github.com/eamonnfaherty Nevertheless, we rather not be opinionated in the low level IAM library. Higher level AWS constructs synthesize policies based on least privilege but if users want to define less restrictive policies for some reason they should be able to do that with the CDK.

[eamonnfaherty]

Fair enough.