Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Assume role identity is different than what aws_caller_identity reports #28381

Closed
bryantbiggs opened this issue Dec 15, 2022 · 3 comments
Closed

[Bug]: Assume role identity is different than what aws_caller_identity reports #28381

bryantbiggs opened this issue Dec 15, 2022 · 3 comments
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service.

Comments

@bryantbiggs
Copy link
Contributor

bryantbiggs commented Dec 15, 2022
edited
Loading

Terraform Core Version

1.3.6

AWS Provider Version

4.46.0

Affected Resource(s)

  • aws_caller_identity

Expected Behavior

When providing an IAM role to assume in the provider via assume_role, I would expect that the data source aws_caller_identity would return the ARN of the role to be assumed.

Actual Behavior

The role ARN returned is an STS session ARN for the SDK

Terraform Configuration Files

Note: the role ARN to assume will need to be updated (i.e. - "arn:aws:iam::111111111111:role/terraform" should be updated)

provider "aws" {
  region = "us-east-1"

  assume_role {
    role_arn = "arn:aws:iam::111111111111:role/terraform"
  }
}

data "aws_caller_identity" "current" {}

data "aws_iam_policy_document" "this" {
  statement {
    sid       = "Default"
    actions   = ["kms:*"]
    resources = ["*"]

    principals {
      type        = "AWS"
      identifiers = [data.aws_caller_identity.current.arn]
    }
  }
}

output "policy" {
  value = data.aws_iam_policy_document.this.json
}

Steps to Reproduce

Using the code provided above:

  1. terraform init
  2. terraform plan
  3. You should see the ARN in the output is not the ARN of the assumed role passed
Changes to Outputs:
  + policy = jsonencode(
        {
          + Statement = [
              + {
                  + Action    = "kms:*"
                  + Effect    = "Allow"
                  + Principal = {
                      + AWS = "arn:aws:sts::111111111111:assumed-role/terraform/aws-go-sdk-1671120217066190188"
                      # This should be:
                      # AWS =  "arn:aws:iam::111111111111:role/terraform"
                    }
                  + Resource  = "*"
                  + Sid       = "Default"
                },
            ]
          + Version   = "2012-10-17"
        }
    )

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@bryantbiggs bryantbiggs added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Dec 15, 2022
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service. labels Dec 15, 2022
@bryantbiggs bryantbiggs mentioned this issue Dec 15, 2022
Closed
@bryantbiggs
Copy link
Contributor Author

TIL - theres a data source for this. As pointed out by @fknittel - this works as intended for both scenarios (w/ or w/o assume_role):

provider "aws" {
  region = "us-east-1"

  assume_role {
    role_arn = "arn:aws:iam::111111111111:role/terraform"
  }
}

data "aws_caller_identity" "current" {}
data "aws_iam_session_context" "current" {
  arn = data.aws_caller_identity.current.arn
}

data "aws_iam_policy_document" "this" {
  statement {
    sid       = "Default"
    actions   = ["kms:*"]
    resources = ["*"]

    principals {
      type        = "AWS"
      identifiers = [data.aws_iam_session_context.current.issuer_arn]
    }
  }
}

output "policy" {
  value = data.aws_iam_policy_document.this.json
}

@github-actions github-actions bot removed the needs-triage Waiting for first response or review from a maintainer. label Dec 16, 2022
@bryantbiggs bryantbiggs mentioned this issue Dec 16, 2022
Merged
3 tasks
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. service/sts Issues and PRs that pertain to the sts service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bryantbiggs