Skip to content

Commit 36fd79d

Browse files
kishielkishiel
authored
fix(iam): grantAssumeRole silently fails with service and account principals (#29452)
### Issue #24507 ### Reason for this change grantAssumeRole silently fails if a Service Principal or Account Principal is used which led me to a false assumption about the correctness of a role's permission scope ### Description of changes This change will throw an error if a Service Principal is used. I was unable to find a way to accomplish the same behavior for Account Principals. Documentation was updated to help guide a user to the appropriate function usage for Service and Account Principals. ### Description of how you validated changes * Added a unit test * This change required me to re-run two unrelated snapshot tests which were throwing errors outside of the scope of this change. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent a12887b commit 36fd79d

18 files changed

+226
-90
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/ManagedPolicyIntegDefaultTestDeployAssert27007DC6.assets.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/aws-cdk-iam-managed-policy.assets.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/cdk.out

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/integ.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/manifest.json

Lines changed: 10 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.js.snapshot/tree.json

Lines changed: 38 additions & 38 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.managed-policy.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ user.addManagedPolicy(policy3);
2525

2626
const role = new Role(stack, 'Role', { assumedBy: new AccountRootPrincipal() });
2727
role.grantAssumeRole(policy.grantPrincipal);
28+
2829
Grant.addToPrincipal({ actions: ['iam:*'], resourceArns: [role.roleArn], grantee: policy2 });
2930

3031
policy.attachToRole(role);

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/PolicyIntegDefaultTestDeployAssert274BB918.assets.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.assets.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/aws-cdk-iam-policy.template.json

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,16 +3,11 @@
33
"MyUserDC45028B": {
44
"Type": "AWS::IAM::User"
55
},
6-
"HelloPolicyD59007DF": {
6+
"MyUserDefaultPolicy7B897426": {
77
"Type": "AWS::IAM::Policy",
88
"Properties": {
99
"PolicyDocument": {
1010
"Statement": [
11-
{
12-
"Action": "sqs:SendMessage",
13-
"Effect": "Allow",
14-
"Resource": "*"
15-
},
1611
{
1712
"Action": "sts:AssumeRole",
1813
"Effect": "Allow",
@@ -26,6 +21,27 @@
2621
],
2722
"Version": "2012-10-17"
2823
},
24+
"PolicyName": "MyUserDefaultPolicy7B897426",
25+
"Users": [
26+
{
27+
"Ref": "MyUserDC45028B"
28+
}
29+
]
30+
}
31+
},
32+
"HelloPolicyD59007DF": {
33+
"Type": "AWS::IAM::Policy",
34+
"Properties": {
35+
"PolicyDocument": {
36+
"Statement": [
37+
{
38+
"Action": "sqs:SendMessage",
39+
"Effect": "Allow",
40+
"Resource": "*"
41+
}
42+
],
43+
"Version": "2012-10-17"
44+
},
2945
"PolicyName": "Default",
3046
"Users": [
3147
{

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/cdk.out

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/integ.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy.js.snapshot/manifest.json

Lines changed: 10 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)