aws-cdk: bootstrapping fails due to permissions boundary name not matching the IAM conventions

[przemolb]

Describe the bug

cdk bootstrap command doesn't accept IAM policy names with forward slash (/) in it.

Expected Behavior

cdk should accept IAM name with forward slashes in its name

Current Behavior

When I try to run cdk bootstrap command with permissions boundry with forward slash in its name, cdk fails:

cdk bootstrap --custom-permissions-boundary aaa/bbb
Boostrapping environment ...
Trusted accounts deployment ...
Trusted accounts for lookup ...
Using default execution policy of ...

Environment .... failed bootstrapping: Error: The permissions boundary name aaa/bbb does not match the IAM conventions.
   ...
   ...
   at sync exec4 (...node_modules/aws-cdk/lib/index.js:490:52657)

Reproduction Steps

The error and code I refer to runs on companys laptop and I cannot copy/paste full message here.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.87.0

Framework Version

No response

Node.js Version

v18.12.1

OS

MacOS

Language

Go

Language Version

1.20.1

Other information

No response

[peterwoodworth]

How do you have an IAM policy name with a slash in it?

The regex we use is the same as described in the linked documentation

aws-cdk/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts

Lines 280 to 287 in 66c0aa1

	private validatePolicyName(permissionsBoundary: string) {
	// https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
	const regexp: RegExp = /[\w+=,.@-]+/;
	const matches = regexp.exec(permissionsBoundary);
	if (!(matches && matches.length === 1 && matches[0] === permissionsBoundary)) {
	throw new Error(`The permissions boundary name ${permissionsBoundary} does not match the IAM conventions.`);
	}
	}

[peterwoodworth]

If you have slashes, that's probably part of the optional path. You want to supply the friendly name, which is what would appear after the path.

[peterwoodworth]

Hmm the place this value ends up is here

aws-cdk/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

Line 556 in 66c0aa1

- Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'

If a policy has a path, is that path required when specifying the arn? The documentation is unclear to me, though specifying the path obviously doesn't hurt.

Fixing this to accept paths should probably only consist of updating the regex linked above, and adding/updating tests - feel free to check out our contributing guide if you'd like to help out 🙂

[przemolb]

feel free to check out our [contributing guide](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)
if you'd like to help out slightly_smiling_face

I'd love to but unfortunately my contract doesn't allow me to contribute. 😞
Sad but true.

[przemolb]

In this particular code:

  - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'

what we need to put into ${InputPermissionsBoundary} is, i.e.,

sth/sthelse/anotherthing/anotherthing2/blahblah

(of course, the number of forward slashes can vary)