fix(iam): grantAssumeRole silently fails with service and account principals #29452
Conversation
github-actions
bot
added
beginning-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
kishiel
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
| @@ -369,6 +369,37 @@ new iam.Role(this, 'Role', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ### Granting assume role permission from a role | |||
|
|
|||
| Principals can be granted permission to assume a role using `grantAssumeRole`. Note that this does not apply to Service Principals or Account Principals as they must be added to the role Trust Policy. | |||
There was a problem hiding this comment.
Nit: lowercase service principals [1]
Nit: lowercase account principals [2]
Also move the note to a newline.
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-accounts
| @@ -369,6 +369,37 @@ new iam.Role(this, 'Role', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ### Granting assume role permission from a role | |||
There was a problem hiding this comment.
"From a role" is confusing here. Can you change this to "Granting principals permission to assume a role"
| role.grantAssumeRole(user); | ||
| ``` | ||
|
|
||
| ### Giving Service Principals and Account Principals assume role permission from a role |
There was a problem hiding this comment.
"Granting service and account principals permission to assume a role"
|
|
||
| ### Giving Service Principals and Account Principals assume role permission from a role | ||
|
|
||
| Service Principals and Account Principals can be granted permission to assume a role using `assumeRolePolicy` which modifies the role Trust Policy. |
There was a problem hiding this comment.
Trust Policy should be lowercase too.
| // Service Principals must use assumeRolePolicy | ||
| if (identity.policyFragment.principalJson.Service) { | ||
| throw new Error('Cannot use a Service Principal with grantAssumeRole, use assumeRolePolicy instead.'); | ||
| } |
There was a problem hiding this comment.
I think this would work?
if (identity instanceof ServicePrincipal || identity instanceof AccountPrincipal) {
throw new Error('Cannot use a service or account principal with grantAssumeRole, use assumeRolePolicy instead.');
}
There was a problem hiding this comment.
Good call, this appears to have worked. Added another test for account principal.
|
Can you change the title? It should reflect the bug. Maybe:
|
aws-cdk-automation
removed
the
pr/needs-community-review
…el/eks-ipv6 into iam_grantassumerole_filter
kishiel
changed the title
|
Incorporated all feedback and updated title |
| @@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ### Granting an identity permission to assume a role | |||
There was a problem hiding this comment.
Can you change this to "Granting a principal...". That's the more common verbiage.
There was a problem hiding this comment.
Ah, I forgot I'd modified this. I changed this to identity based on this section of the readme but I think I'm just misreading it. Will change
| @@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ### Granting an identity permission to assume a role | |||
|
|
|||
| An identity can be granted permission to assume a role using `grantAssumeRole`. | |||
There was a problem hiding this comment.
Likewise here, "a principal."
|
|
||
| An identity can be granted permission to assume a role using `grantAssumeRole`. | ||
|
|
||
| Note that this does not apply to service principals or account principals as they must be added to the role trust policy. |
There was a problem hiding this comment.
Can you add via assumeRolePolicy.
|
Incorporated feedback |
aws-cdk-automation
added
the
pr/needs-maintainer-review
packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts
Outdated
Show resolved
Hide resolved
| @@ -369,6 +369,39 @@ new iam.Role(this, 'Role', { | |||
| }); | |||
| ``` | |||
|
|
|||
| ### Granting a principal permission to assume a role | |||
There was a problem hiding this comment.
Thanks for this clear documentation update.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Issue #24507
Reason for this change
grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope
Description of changes
This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals.
Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals.
Description of how you validated changes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license