From d0163f8a3d14e38f67b381c569b5bd3af92c4f51 Mon Sep 17 00:00:00 2001 From: Tejas M R Date: Thu, 19 May 2022 22:24:40 +0530 Subject: [PATCH] fix(iam): AccountPrincipal accepts values which aren't account IDs (#20292) Changed the type of accountId in AccountPrincipal constructor to string from any fixes #20288 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-iam/lib/principals.ts | 3 +++ packages/@aws-cdk/aws-iam/test/principals.test.ts | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/packages/@aws-cdk/aws-iam/lib/principals.ts b/packages/@aws-cdk/aws-iam/lib/principals.ts index 8cb94c33a0b1d..77dc3003a4ddf 100644 --- a/packages/@aws-cdk/aws-iam/lib/principals.ts +++ b/packages/@aws-cdk/aws-iam/lib/principals.ts @@ -394,6 +394,9 @@ export class AccountPrincipal extends ArnPrincipal { */ constructor(public readonly accountId: any) { super(new StackDependentToken(stack => `arn:${stack.partition}:iam::${accountId}:root`).toString()); + if (!cdk.Token.isUnresolved(accountId) && typeof accountId !== 'string') { + throw new Error('accountId should be of type string'); + } this.principalAccount = accountId; } diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index 34206540def53..b5c936be58a2e 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -294,6 +294,10 @@ test('AccountPrincipal can specify an organization', () => { }); }); +test('Passing non-string as accountId parameter in AccountPrincipal constructor should throw error', () => { + expect(() => new iam.AccountPrincipal(1234)).toThrowError('accountId should be of type string'); +}); + test('ServicePrincipal in agnostic stack generates lookup table', () => { // GIVEN const stack = new Stack();