Describe the bug
The EventBus only accepts a single IAM statement in the policy. If I want to grant multiple principals different access to a bus, it should be possible with addToResourcePolicy, but that method explicitly denies additional statements. Defining an EventBusPolicy does not alleviate the issue, because EventBusPolicy also only accepts a single iam.PolicyStatement.
Expected Behavior
The documentation for EventBusPolicy and EventBus indicate that additional permissions should be added through the addToResourcePolicy method.
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBus.html#applywbrremovalwbrpolicypolicy
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusPolicy.html
Policies define the operations that are allowed on this resource.
You almost never need to define this construct directly.
All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically >create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.
Prefer to use addToResourcePolicy() instead.
Expected behavior would be that addToResourcePolicy creates or updates the existing resource policy with additional statements.
Current Behavior
New statements are silently ignored, and the construct does not support adding additional permissions.
It looks like the behavior to only accept a single statement is codified in the addToResourcePolicy implementation. Shouldn't the policy contain a policy document rather than a single statement?
https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-events/lib/event-bus.ts#L341
It seems odd that not having a SID would cause an error to be thrown, while not adding new permissions would allow execution to continue and potentially deploy a change that doesn't have the correct policy.
Reproduction Steps
Create a bus, add multiple resource policies
import * as events from 'aws-cdk-lib/aws-events';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class BusStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: cdk.StackProps) {
super(scope, id, props);
const bus = new events.EventBus(this, 'my-bus', {
eventBusName: 'my-bus'
});
const externalPrincipal1 = new iam.AccountPrincipal('someaccountid');
const addPublishForFooSource = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [externalPrincipal1],
sid: `uniquesid1`,
resources: [bus.eventBusArn],
actions: ['events:PutEvents'],
});
addPublishForFooSource.addCondition('StringEquals', { 'events:source': ['foo'] });
//succeeds
bus.addToResourcePolicy(addPublishForFooSource);
const externalPrincipal2 = new iam.AccountPrincipal('someotheraccountid');
const addPublishForBarSource = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [externalPrincipal2],
sid: `uniquesid2`,
resources: [bus.eventBusArn],
actions: ['events:PutEvents'],
});
addPublishForFooSource.addCondition('StringEquals', { 'events:source': ['bar'] });
//no error thrown, but no policy update
bus.addToResourcePolicy(addPublishForBarSource);
}
}Possible Solution
Modify the EventBusPolicy to accept a PolicyDocument rather than a PolicyStatement, and update the addToResourcePolicy to append new statements to the existing policy.
Additional Information/Context
No response
CDK CLI Version
2.69
Framework Version
No response
Node.js Version
v16.17.1
OS
OSX
Language
Typescript
Language Version
No response
Other information
No response
Describe the bug
The EventBus only accepts a single IAM statement in the policy. If I want to grant multiple principals different access to a bus, it should be possible with
addToResourcePolicy, but that method explicitly denies additional statements. Defining anEventBusPolicydoes not alleviate the issue, becauseEventBusPolicyalso only accepts a single iam.PolicyStatement.Expected Behavior
The documentation for
EventBusPolicyandEventBusindicate that additional permissions should be added through theaddToResourcePolicymethod.https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBus.html#applywbrremovalwbrpolicypolicy
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusPolicy.html
Expected behavior would be that
addToResourcePolicycreates or updates the existing resource policy with additional statements.Current Behavior
New statements are silently ignored, and the construct does not support adding additional permissions.
It looks like the behavior to only accept a single statement is codified in the
addToResourcePolicyimplementation. Shouldn't the policy contain a policy document rather than a single statement?https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-events/lib/event-bus.ts#L341
It seems odd that not having a SID would cause an error to be thrown, while not adding new permissions would allow execution to continue and potentially deploy a change that doesn't have the correct policy.
Reproduction Steps
Create a bus, add multiple resource policies
Possible Solution
Modify the
EventBusPolicyto accept a PolicyDocument rather than a PolicyStatement, and update theaddToResourcePolicyto append new statements to the existing policy.Additional Information/Context
No response
CDK CLI Version
2.69
Framework Version
No response
Node.js Version
v16.17.1
OS
OSX
Language
Typescript
Language Version
No response
Other information
No response