(iam): composite principal not synthesizing correctly

[juweeks]

What is the problem?

behavior as of v2.4 (or maybe v2.5)- instead of composite principals synthesizing to a list, a separate statement is made for each. this can result in overflow of quota for the max number of trust principals policy length with enough principals.

Reproduction Steps

iam.Role(
      self,
      id="role_id",
      assumed_by=iam.CompositePrincipal(
          iam.ArnPrincipal #1,
          iam.ArnPrincipal #2,
          iam.ArnPrincipal #3,
      ),
      max_session_duration=1,
      role_name="MyCompositeTrust"
)

What did you expect to happen?

trust policy look like this:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": [iam.ArnPrincipal #1, iam.ArnPrincipal #2, iam.ArnPrincipal #3]}
}

What actually happened?

trust policy looks like this:

{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": iam.ArnPrincipal #1}
},
{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": iam.ArnPrincipal #2}
},
{
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {"AWS": iam.ArnPrincipal #3}
}

CDK CLI Version

2.10.0 (build e5b301f)

Framework Version

No response

Node.js Version

v14.17.1

OS

Mac 12.0.1

Language

Python

Language Version

Python 3.9.9

Other information

since there is a fairly low quota on the max statements in a trust policy, this breaks very easily with a decent amount of trust principals.

[ryparker]

Hey @juweeks 👋🏻 Thanks for reporting this.

We're aware of the shortcomings in policy generation and are working hard to resolve this.

Related:
#18167
#18293
#16350
#18457

[rix0rrr]

Can you please clarify: are you running into a maximum NUMBER of trust principals, or are you running into a POLICY LENGTH limit?

[juweeks]

Well, I THOUGHT/SWORE it was max number of trust principals. But when I replicate the error, it shows a policy length limit issue.

Cannot exceed quota for ACLSizePerRole: 2048 (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: xxxx; Proxy: null)

And since I can't find any limits anywhere regarding number of trust principals, let's go with POLICY LENGTH limit...

Also just noticed that there is an adjustable service quota for role trust policy length. Still no substitute for properly synthesizing an array of principals, but a temp fix nonetheless.