(aws-iam): grantAssumeRole does nothing #24507
Comments
dkaksl
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
pahud
added
the
investigating
|
Hi You will need to use const role = new iam.Role(this, 'role', {
assumedBy: new iam.AccountPrincipal(this.account),
})
role.assumeRolePolicy?.addStatements(new iam.PolicyStatement({
actions: ['sts:AssumeRole'],
principals: [new iam.AccountPrincipal('123456789')],
}))related to #22550 (comment) |
pahud
removed
the
investigating
|
|
What is the purpose of When trying to use this workaround, it can end up trying to create cyclical references. In particular when trying to add RolePrincipals or RoleArns, such as for a specific lambda. |
|
have the same problem. spent hours to figure out why grant_assume_role(identity) does nothing. how should one actually find out this workaround to add statement to the role policy... no idea... imho this workaround (if it is one) should be at least mentioned in the docs. although it works, there is a "add_statements" is not a known member of "None" message |
|
Would like to comment that I just encountered this issue too and it's a bit bewildering. I'm totally fine using Just make it clear that you shouldn't use To make the problem obvious, here is a minimum example to reproduce the bug: |
|
I ran into a similar problem, but I was able to solve this with fewer lines of code using spread operator. const accountsToAllowAssumedBy = ['000000000000', '111111111111'];
const role = new iam.Role(this, 'Role', {
roleName: 'AssumeRoleTest',
assumedBy: new iam.CompositePrincipal(
new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
...accountsToAllowAssumedBy.map((account) => new iam.AccountPrincipal(account)), //Spread Operator (...)
),
});Output: "Role1ABCC5F0": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "AssumeRoleTest",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root",
"arn:aws:iam::111111111111:root"
],
"Service": "ecs-tasks.amazonaws.com"
}
}
],
},
},
}, |
…ncipals (#29452) ### Issue #24507 ### Reason for this change grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope ### Description of changes This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals. Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals. ### Description of how you validated changes * Added a unit test * This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
Role.grantAssumeRole()does not make any difference in the generated policy.Expected Behavior
grantAssumeRoleshould grant the given princial permission to assume the role.Current Behavior
No-op.
Reproduction Steps
Possible Solution
No response
Additional Information/Context
Workaround:
CDK CLI Version
2.67.0
Framework Version
No response
Node.js Version
v18.14.2
OS
Ubuntu
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: