aws-iam: Allow `string | string[]` in FederatedPrincipal assumeRoleAction

[simonireilly]

Allow string | string[] in FederatedPrincipal.

This is required when using cognito with principal tag mapping.

Use Case

AWS has a brief video explaining the use case here: https://www.youtube.com/watch?v=tAUmz94O2Qo

The use case is that, if a cognito user from a user pool is authenticated, then their claims can be forwarded to the policy document to allow for fine-grained access control e.g.

    /**
     * Policy that enables a tenant to access their entire org's data
     */
    const tenantPolicy = new PolicyStatement({
      sid: "AllowPrecedingKeysToDynamoDBOrganisation",
      effect: Effect.ALLOW,
      actions: [
        "dynamodb:GetItem",
        "dynamodb:Query"
      ],
      resources: [
        table.tableArn
      ],
      conditions: {
        "ForAllValues:StringLike": {
          "dynamodb:LeadingKeys": [
            "${aws:PrincipalTag/org}#*"
          ]
        }
      },
    })

In order to support deploying FederatedPrincipal policies via @aws-cdk/aws-iam which use sts:TagSession and sts:AssumeRoleWithWebIdentity currently this work around is required:

    const role = new iam.Role(this, "IdentityPoolAuthRole", {
      assumedBy: new iam.FederatedPrincipal(
        "cognito-identity.amazonaws.com",
        {
          StringEquals: {
            "cognito-identity.amazonaws.com:aud": identityPool.ref,
          },
          "ForAnyValue:StringLike": {
            "cognito-identity.amazonaws.com:amr": "authenticated",
          },
        },
        // @ts-ignore
        [
          "sts:AssumeRoleWithWebIdentity",
          "sts:TagSession"
        ] as string
      ),
    });

The underlying base principal supports having the this.assumeRoleAction set as a string array, but the allowed types have been restricted on the child class

aws-cdk/packages/@aws-cdk/aws-iam/lib/principals.ts

Lines 426 to 442 in fdce08c

	export class FederatedPrincipal extends PrincipalBase {
	public readonly assumeRoleAction: string;
	/**
	*
	* @param federated federated identity provider (i.e. 'cognito-identity.amazonaws.com' for users authenticated through Cognito)
	* @param conditions The conditions under which the policy is in effect.
	* See [the IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
	*/
	constructor(
	public readonly federated: string,
	public readonly conditions: Conditions,
	assumeRoleAction: string = 'sts:AssumeRole') {
	super();
	this.assumeRoleAction = assumeRoleAction;
	}

Proposed Solution

aws-cdk/packages/@aws-cdk/aws-iam/lib/principals.ts

Line 427 in fdce08c

public readonly assumeRoleAction: string;

Is update to

public readonly assumeRoleAction: string | string[];

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[rix0rrr]

Your proposed solution will not work, as string | string[] is not allowable by jsii.

But I agree this should be fixed, probably by adding a new field assumeRoleActions?: string[] and requiring that users supply either one or the other.

[simonireilly]

Thanks @rix0rrr , I am not familiar with jsii internals, so that helps 👍

[Dachmian]

@simonireilly Any ETA on the PR and release that fixes this issue? We currently need this functionality in our project and are using the workaround proposed here

[simonireilly]

@simonireilly Any ETA on the PR and release that fixes this issue? We currently need this functionality in our project and are using the workaround proposed here

PR is open, awaiting comments: #16725

It's a fix, but not ideal. I think the other option is to rewrite entire IPrincipal to take a string[] instead of string in assume role action and publish under a feature flag.

Awaiting comments for @rix0rrr