fix(iam): grantAssumeRole silently fails with service and account principals#29452
fix(iam): grantAssumeRole silently fails with service and account principals#29452mergify[bot] merged 12 commits intoaws:mainfrom
Conversation
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
|
||
| ### Granting assume role permission from a role | ||
|
|
||
| Principals can be granted permission to assume a role using `grantAssumeRole`. Note that this does not apply to Service Principals or Account Principals as they must be added to the role Trust Policy. |
There was a problem hiding this comment.
Nit: lowercase service principals [1]
Nit: lowercase account principals [2]
Also move the note to a newline.
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts
| }); | ||
| ``` | ||
|
|
||
| ### Granting assume role permission from a role |
There was a problem hiding this comment.
"From a role" is confusing here. Can you change this to "Granting principals permission to assume a role"
| role.grantAssumeRole(user); | ||
| ``` | ||
|
|
||
| ### Giving Service Principals and Account Principals assume role permission from a role |
There was a problem hiding this comment.
"Granting service and account principals permission to assume a role"
|
|
||
| ### Giving Service Principals and Account Principals assume role permission from a role | ||
|
|
||
| Service Principals and Account Principals can be granted permission to assume a role using `assumeRolePolicy` which modifies the role Trust Policy. |
There was a problem hiding this comment.
Trust Policy should be lowercase too.
| // Service Principals must use assumeRolePolicy | ||
| if (identity.policyFragment.principalJson.Service) { | ||
| throw new Error('Cannot use a Service Principal with grantAssumeRole, use assumeRolePolicy instead.'); | ||
| } |
There was a problem hiding this comment.
I think this would work?
if (identity instanceof ServicePrincipal || identity instanceof AccountPrincipal) {
throw new Error('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.');
}
There was a problem hiding this comment.
Good call, this appears to have worked. Added another test for account principal.
|
Can you change the title? It should reflect the bug. Maybe:
|
msambol
left a comment
There was a problem hiding this comment.
See inline. Great start!
…el/eks-ipv6 into iam_grantassumerole_filter
|
Incorporated all feedback and updated title |
| }); | ||
| ``` | ||
|
|
||
| ### Granting an identity permission to assume a role |
There was a problem hiding this comment.
Can you change this to "Granting a principal...". That's the more common verbiage.
There was a problem hiding this comment.
Ah, I forgot I'd modified this. I changed this to identity based on this section of the readme but I think I'm just misreading it. Will change
|
|
||
| ### Granting an identity permission to assume a role | ||
|
|
||
| An identity can be granted permission to assume a role using `grantAssumeRole`. |
There was a problem hiding this comment.
Likewise here, "a principal."
|
|
||
| An identity can be granted permission to assume a role using `grantAssumeRole`. | ||
|
|
||
| Note that this does not apply to service principals or account principals as they must be added to the role trust policy. |
There was a problem hiding this comment.
Can you add via assumeRolePolicy.
msambol
left a comment
There was a problem hiding this comment.
Few more comments then we're good to go.
|
Incorporated feedback |
GavinZZ
left a comment
There was a problem hiding this comment.
Generally LGTM, just a question for clarification before approving.
packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts
Outdated
Show resolved
Hide resolved
| }); | ||
| ``` | ||
|
|
||
| ### Granting a principal permission to assume a role |
There was a problem hiding this comment.
Thanks for this clear documentation update.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Issue #24507
Reason for this change
grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope
Description of changes
This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals.
Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals.
Description of how you validated changes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license