(aws-iam): Minimizing assume policies with conditions results in error

[Sordie]

Describe the bug

When using the AWS CDK with the "@aws-cdk/aws-iam:minimizePolicies": true setting, an error is encountered when creating a Role with a PrincipalWithConditions. The error suggests that the principals in a PolicyStatement must have the same conditions, even though they do have the same conditions.

Expected Behavior

The AWS CDK should successfully create a Role with a PrincipalWithConditions, even when the "@aws-cdk/aws-iam:minimizePolicies" setting is set to true. The conditions specified for the principals in the PolicyStatement should be correctly merged without causing an error.

Current Behavior

The following error is throw:

Error: Resolution error: Resolution error: Resolution error: All principals in a PolicyStatement must have the same Conditions (got '{}' and '{"StringEquals":{"aws:SourceAccount":"${Token[AWS.AccountId.3]}"}}'). Use multiple statements instead..
Object creation stack:
  at stack traces disabled..
    at PolicyStatement.addPrincipalConditions (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:7201)
    at PolicyStatement.addPrincipals (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:2407)
    at new PolicyStatement (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:663)
    at PolicyStatement.copy (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:6086)
    at mergeIfCombinable (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1847)
    at onePass (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1032)
    at mergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:660)
    at PolicyDocument._maybeMergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:3033)
    at PolicyDocument.resolve (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1755)
    at RememberingTokenResolver.resolveToken (.../node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)

Reproduction Steps

const principal = new PrincipalWithConditions(
  new ServicePrincipal("scheduler.amazonaws.com"),
  {
    StringEquals: {
      "aws:SourceAccount": Stack.of(this).account,
    },
  }
);

const role = new Role(this, "Role", {
  assumedBy: principal,
});

role.assumeRolePolicy?.addStatements(
  new PolicyStatement({
    effect: Effect.ALLOW,
    principals: [principal],
    actions: ["sts:AssumeRole"],
  })
);

Possible Solution

I think the issue might originate from here main/packages/aws-cdk-lib/aws-iam/lib/private/merge-statements.ts:54, but I can't pinpoint it exactly.

Additional Information/Context

It's worth noting that this issue has downstream effects, impacting the functionality of aws-scheduler-targets when using the same lambda with two schedulers.

const func = new Function(this, "Function", {
  code: Code.fromInline("exports.handler = () => {}"),
  handler: "index.handler",
  runtime: Runtime.NODEJS_18_X,
});

new Schedule(this, "Schedule1", {
  schedule: ScheduleExpression.cron({}),
  target: new LambdaInvoke(func, {}),
});

new Schedule(this, "Schedule2", {
  schedule: ScheduleExpression.cron({}),
  target: new LambdaInvoke(func, {}),
});

CDK CLI Version

2.121.1

Framework Version

No response

Node.js Version

18.19.0

OS

macOS 14.2.1

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi

I was not able to reproduce this error with the given snippet:

const principal = new PrincipalWithConditions(
  new ServicePrincipal("scheduler.amazonaws.com"),
  {
    StringEquals: {
      "aws:SourceAccount": Stack.of(this).account,
    },
  }
);

const role = new Role(this, "Role", {
  assumedBy: principal,
});

role.assumeRolePolicy?.addStatements(
  new PolicyStatement({
    effect: Effect.ALLOW,
    principals: [principal],
    actions: ["sts:AssumeRole"],
  })
);

I can synthesize with no error

 "Resources": {
  "Role1ABCC5F0": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Condition": {
        "StringEquals": {
         "aws:SourceAccount": <MY_AWS_ACCOUNT_ID>
        }
       },
       "Effect": "Allow",
       "Principal": {
        "Service": "scheduler.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    }
   },
   "Metadata": {
    "aws:cdk:path": "DummyStack/Role/Resource"
   }
  },

And I have the feature flag enabled in cdk.json

    "@aws-cdk/aws-iam:minimizePolicies": true,

[Sordie]

Thanks for taking a look. I have created a repository containing a dev container file here. Can you check if you can reproduce the error within the dev container? I have tried different CDK versions and 2.117.0 and older appear to work, while 2.118.0 and higher fail to synth.

[dmeehan1968]

I'm getting the same error when upgrading from CDK 2.110.0 -> 2.126.0 (both CLI and aws-cdk-lib).

The error message is identical to that in the OP, with the exception that mine quotes my AWS account as SourceAccount, rather than the Token directive.

[ssenchenko]

@Sordie thank you so much for providing the repo. I'm able to replicate the error.
btw I replicated an error with v 2.108 so I'm not sure if it goes back before 2.110